!!! MALWARE !!! broke production

[vanilla-ice]

commit de137927e13d8afac153d2485152ccec48948a7a

[ilmerainen]

Hmm, I think it's a worthwhile fix. Where did you see malware here? 🇺🇦🇺🇦🇺🇦

[geoffroyp]

well from what I understand, it's a piece of code that inform about the war in ukraine if the user timezone is set to a russian one

[ilmerainen]

I think the author of this repo is free to decide what code he publishes. Say thanks to that it's for free

[uzervlad]

@ilmerainen ah, yes, it's free, so the author holds no responsibility for it whatsoever

[ilmerainen]

@uzervlad ah, yes, I think you can consider it as a feature and additional goal of the library to resist evil in any way possible. One more time, it's not malware. The author of the library doesn't steal your money or mine crypto by your PC. Dude, it's called freedom. And it's cool. Why the author of the popular library should сater to someone else's interests? Why the number of stars should define the functionality of your library?

[uzervlad]

Why the author of the popular library should сater to someone else's interests?

Oh I wonder, maybe because it's their responsibility as a maintainer of a somewhat popular library?

[ilmerainen]

@uzervlad haha, why do you think so? Give strong arguments otherwise your words don't worth anything. He doesn't have any responsibility. He even can remove all the code one day

[smuellner]

@vanilla-ice I guess you can close this one?

[smuellner]

Also It is not considered Malware if you display information under certain conditions. As previous said see it as a feature. Also you are free to fork it and use your own version.

[vanilla-ice]

@vanilla-ice I guess you can close this one?

I guess not, I think other devs should be warned, that in some timeout there will be alert which stops javascript execution. If it is a feature will be great to document it.

[vanilla-ice]

Also It is not considered Malware if you display information under certain conditions. As previous said see it as a feature. Also you are free to fork it and use your own version.

Also Intl.DateTimeFormat is not supported in all browsers, so it can be crash in some browsers which even may not in the timezones from 'malware'. So, I think there is reason for keep this issue opened :-)

[ljharb]

Has somebody filed a CVE yet? Whether you consider it malware or not, printing an unexpected console message is indeed a breaking change, and i'd have thought we all learned from node-ipc that protestware doesn't help any cause, and causes more harm than good.

[and3rson]

To those who were "offended", please don't forget that this is the beauty of the MIT license, as well as of several others:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Thus @Yaffle did nothing wrong and possesses a fully justified privilege to do whatever they wish with their own code.

[quenbyako]

Мне даже лень утруждать себя писать на английском, да и господин ишьюстартер очевидно на русском лучше понимает.

Так вот вопрос: @vanilla-ice ты что, серьезно? МАЛВАРЬ??? А давно ли дефолтный println() является малварью? Тебе никто не обязан гарантировать, что разработчики библиотек, которые ты используешь, будут аполитичными. Это законное право мейнтейнера, даже для самых тупорогих написано в лицензии: WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. Вооружись гугл переводчиком и перечитай 5 раз, что значит текст MIT лицензии. Более того: а что, собственно, случилось? У тебя (или у кого-то еще) угнали аккаунты? Может сломали компуктер твой? Тебе спокойно, без удаления файлов, как в node-ipc, в терминал написали "хуй войне", что от этого произошло? Конец света? Брэндону за node-ipc отдельный дизреспект, НО ТУТ-ТО ЧТО СЛУЧИЛОСЬ? У тебя друг из-за этого умер?

@Yaffle закрывай ишью, такие умники все равно никогда не поймут посыла, и устроят здесь срач на полторы тыщи комментов. Проходили уже это с гитлабом.

[michael-o]

@quenbyako Отлично! Сало Украине, сало героям в жопу.

[th-lange]

I consider it a feature....

[AceSevenFive]

Today it's a funny message, tomorrow it's

To those who were "offended", please don't forget that this is the beauty of the MIT license, as well as of several others:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Thus @Yaffle did nothing wrong and possesses a fully justified privilege to do whatever they wish with their own code.

This doesn't make them immune to criticism for showing that they're willing to surreptitiously introduce code that does unexpected and unadvertised things into their product. What's to say they won't wipe computers from Russia-based IP addresses in their next version?

People have a right to not have their dependencies randomly turn into malware.

[Yaffle]

@AceSevenFive, I am agree. Here the author of the library sacrifices his reputation for what he considers important.

[michael-o]

Today it's a funny message, tomorrow it's

To those who were "offended", please don't forget that this is the beauty of the MIT license, as well as of several others:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Thus @Yaffle did nothing wrong and possesses a fully justified privilege to do whatever they wish with their own code.

This doesn't make them immune to criticism for showing that they're willing to surreptitiously introduce code that does unexpected and unadvertised things into their product. What's to say they won't wipe computers from Russia-based IP addresses in their next version?

People have a right to not have their dependencies randomly turn into malware.

Open source: you can inspect before you install.

[AceSevenFive]

Today it's a funny message, tomorrow it's

To those who were "offended", please don't forget that this is the beauty of the MIT license, as well as of several others:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Thus @Yaffle did nothing wrong and possesses a fully justified privilege to do whatever they wish with their own code.

This doesn't make them immune to criticism for showing that they're willing to surreptitiously introduce code that does unexpected and unadvertised things into their product. What's to say they won't wipe computers from Russia-based IP addresses in their next version? People have a right to not have their dependencies randomly turn into malware.

Open source: you can inspect before you install.

If you think any non-trivial organization is going to be recursively inspecting every single one of their dependencies every time they're prompted for an update, I have a bridge to sell you.

[ljharb]

@Yaffle at least you're aware of precisely what you've obliterated :-(

[michael-o]

Today it's a funny message, tomorrow it's

To those who were "offended", please don't forget that this is the beauty of the MIT license, as well as of several others:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Thus @Yaffle did nothing wrong and possesses a fully justified privilege to do whatever they wish with their own code.

This doesn't make them immune to criticism for showing that they're willing to surreptitiously introduce code that does unexpected and unadvertised things into their product. What's to say they won't wipe computers from Russia-based IP addresses in their next version? People have a right to not have their dependencies randomly turn into malware.

Open source: you can inspect before you install.

If you think any non-trivial organization is going to be recursively inspecting every single one of their dependencies every time they're prompted for an update, I have a bridge to sell you.

At least you have the chance. It is an inherent node's problem to have an unmanageable amount of deps.

[andunai]

People have a right to not have their dependencies randomly turn into malware

...unless their right conflicts with the dependency author's right to do whatever he wants with his dependency. Then the latter has the ultimate power. Isn't this almost precisely what MIT license says?

By the way...

Malware

I call this activism. Author of this library demonstrated 2 modern issues: subjectivity of freedom of expression and the rotten state of modern bloated front-end dependency hell.

[AceSevenFive]

People have a right to not have their dependencies randomly turn into malware

...unless their right conflicts with the dependency author's right to do whatever he wants with his dependency. Then the latter has the ultimate power. Isn't this almost precisely what MIT license says?

By the way...

Malware

I call this activism. Author of this library demonstrated 2 modern issues: subjectivity of freedom of expression and the rotten state of modern bloated front-end dependency hell.

The MIT license will not save you from US cybercrime law (or really any cybercrime law in a Western country)

[ljharb]

That the MIT license doesn't restrict the author's legal rights does not have any bearing on what is ethical, or expected of them by the ecosystem. Nobody's trying to sue or put in jail an author that does something like this.

That said, it helps the cause it's advocating for precisely zero, and if anything, harms it. Activism that furthers a cause is great; activism that doesn't is far worse than inaction.

[th-lange]

I don't get the malware angle.

Cisco states:

Malware, short for “malicious software,” refers to any intrusive software developed by cybercriminals (often called “hackers”) to steal data and damage or destroy computers and computer systems. Examples of common malware include viruses, worms, Trojan viruses, spyware, adware, and ransomware. Recent malware attacks have exfiltrated data in mass amounts.

Please give a definition of malware and why you think this applies here.

I don't feel, that this is the case. If it made you feel better, I could open a "post factual" feature request.

[vanilla-ice]

@quenbyako где ты там увидел println, необразованная макака?))) переведи в транслейте мои ответы выше, если не осилил прочитать не на русском, я там все объяснил))

[AceSevenFive]

I don't get the malware angle.

Cisco states:

Malware, short for “malicious software,” refers to any intrusive software developed by cybercriminals (often called “hackers”) to steal data and damage or destroy computers and computer systems. Examples of common malware include viruses, worms, Trojan viruses, spyware, adware, and ransomware. Recent malware attacks have exfiltrated data in mass amounts.

Please give a definition of malware and why you think this applies here.

I don't feel, that this is the case. If it made you feel better, I could open a "post factual" feature request.

From Malwarebytes:

Malware, or “malicious software,” is an umbrella term that describes any malicious program or code that is harmful to systems.

Hostile, intrusive, and intentionally nasty, malware seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device’s operations. Like the human flu, it interferes with normal functioning.

The motives behind malware vary. Malware can be about making money off you, sabotaging your ability to get work done, making a political statement, or just bragging rights. Although malware cannot damage the physical hardware of systems or network equipment (with one known exception—see the Google Android section below), it can steal, encrypt, or delete your data, alter or hijack core computer functions, and spy on your computer activity without your knowledge or permission.

I'd argue that opening browser windows without user consent counts as "taking partial control over a device's operations."

[airtonix]

Sigh...

[quenbyako]

@vanilla-ice

необразованная макака

Серьезно? Умнее оскорбления не получилось придумать?

Я специально дважды перечитал комментарии выше. Высасывать из пальца сказки что "не все бразуеры поддерживают Х фичу" это закапывать себя еще глубже, не осознавая, что делает код, опубликованный в патче. А он ведь очень простой, там нет rocket science'a.

Где я увидел println? Ой, да вот же он! Но можно повторно использовать свое коронное оскорбление макакой и сказать, что это alert, а не println. Но в таком случае да, я конечно буду повержен, ведь это диаметрально противоположные вещи.

Кажется необразованных макаки, не отличающих открытие окна+алерта от реально вредоносного кода, в этом треде сидит две.

[vanilla-ice]

@vanilla-ice

необразованная макака

Серьезно? Умнее оскорбления не получилось придумать?

Я специально дважды перечитал комментарии выше. Высасывать из пальца сказки что "не все бразуеры поддерживают Х фичу" это закапывать себя еще глубже, не осознавая, что делает код, опубликованный в патче. А он ведь очень простой, там нет rocket science'a.

простой и тупой, в том то и дело, нашел println там? по ссылке что ты скинул его там нет, умой личико и протри глазки) может еще скажешь что alert не останавливает js execution?) Учитывая что эта библиотека - полифилл к sse, остановка js execution - больно. Но тебе-то откуда знать)

[quenbyako]

@vanilla-ice

может еще скажешь что alert не останавливает js execution?)

Если тебя смущает ИСКЛЮЧИТЕЛЬНО этот момент, то так и быть, я может встану завтра пораньше, и пофикшу остановку рантайма. Ради тебя.

[vanilla-ice]

@vanilla-ice

может еще скажешь что alert не останавливает js execution?)

Если тебя смущает ИСКЛЮЧИТЕЛЬНО этот момент, то так и быть, я может встану завтра пораньше, и пофикшу остановку рантайма. Ради тебя.

хороший мальчик) Не забудь задокументировать новую фичу, раз встанешь пораньше)

[quenbyako]

@vanilla-ice с ума сойти, ты с мамой так же общаешься?

[ghost]

@quenbyako I think you should send a complaint to vanilla-ice's comments. You can do this in his profile (Block/Report link) with a screenshot/weblink to this issue and comment.

[TheOtterlord]

I'd argue that opening browser windows without user consent counts as "taking partial control over a device's operations."

Especially since it's not a listed feature of the library, nor has a breaking change version been published to prevent unwanted install of this "feature".

[kexxdon]

Автор просто накакал простым разрабам и пользователям, и радуется. Типичный усраинец

[ilmerainen]

@ljharb However, it's only your opinion that this activism doesn't have any impact. Inevitably this action will sow a seed of doubt in the minds of those who encounter it and who so far don't have an adequate position about it. There is no possibility to forecast the consequences of this activism.

[ljharb]

@ilmerainen only for the brief window before there’s a CVE, and every dependent and business stops using the package, and any package the author has publish rights on becomes suspect. Sowing a seed of doubt is great, but this wont actually do enough of that to be worth it.

[quenbyako]

For those people, who showing off their ruski apolitism:

Here is a website of russian fss department, which is working with vulnerabilities in different projects (read as HackerOne with flavor of propaganda and repressions). Go on guys, send them an email, that we found the traitor of the Motherland, and they need to punish him. This parasite hacks your browser by using alert call! Uuuu, alert is stopping js runtime, the worst vulnerability! It is necessary to punish the nazi traitor, repo owner!

[vanilla-ice]

@quenbyako its enough if a potential user of the library will pay attention to that commit and decide for himself whether to use it or not, everything else is your political fantasies)

[quenbyako]

@vanilla-ice чел, определись уже: ты соврал, что малварь нашел, или соврал, что "достаточно" в жопе мира отыскать твое невероятно важное ишью, в котором ты как рыцарь на белом коне предупреждаешь пользователя.

Или крестик сними, или трусы надень, нельзя одновременно устраивать цирк про малварь и писать "моего вскукарека на этот счет достаточно, теперь все знают".

[vanilla-ice]

@vanilla-ice чел, определись уже: ты соврал, что малварь нашел, или соврал, что "достаточно" в жопе мира отыскать твое невероятно важное ишью, в котором ты как рыцарь на белом коне предупреждаешь пользователя.

Или крестик сними, или трусы надень, нельзя одновременно устраивать цирк про малварь и писать "моего вскукарека на этот счет достаточно, теперь все знают".

это комплексная проблема, но лично мне достаточно того что ее видно, а не втихую подсовывается)) Тут же MIT, не могу настаивать на переписывании автором кода))

[jorgesumle]

Apart from being malware that makes the program heavier, it shows false information and encourages people to read BBC News (a state-owned British online newspaper).

91% украинцев полностью поддерживает своего президента Владимира Зеленского и его ответные действия на нападение России.

Just 6,307,793 votes in the 2019 elections, according to Wikipedia, and 49.84% turnout. Ukraine had 42,153,201 inhabitants in 2019.

"Весь мир осудил необоснованное вторжение и решил ввести " + bold("невиданные ранее санкции против России")

This is not true.

"В то же время, " + bold("российское правительство ограничивает доступ граждан к внешней информации")

This is true, but I think that most people already know this.

[michael-o]

@jorgesumle quite a narrow view from the Western world to count itself as most of the world. Fact is that most of the world does not care. No sanctions applied.

[quenbyako]

@jorgesumle

in the 2019 elections, according to Wikipedia, and 49.84% turnout.

Orly? and this paper is priceless shit. Ok, got it. Pretty impressive, that you argument this fact by 2019(!!!) year stats.

This is not true.

Orly? And this paper is shit as well. Alrighty, got it bro.

I think that most people already know this

ORLY? YOU THINK? yeah yeah yeah, you know everything bro. you know that each russian in each village knows that. Mhm, yeah.

Those stupid arguments are SO stupid, that anyone can smash them spending 2 seconds by typing in google search request. Stop disgrace yourself. Wanna be part of russian propaganda? Cool, do it, but not in devs community, please.

@michael-o

Fact is that most of the world does not care. No sanctions applied.

Бля, чел))))

[jorgesumle]

Orly? and this paper is priceless shit.

Nice link with fbclid parameter in the URL. I can't even access those websites:

Pretty impressive, that you argument this fact by 2019(!!!) year stats.

When the elections took place.

I think that most people already know this

ORLY? YOU THINK? yeah yeah yeah, you know everything bro. you know that each russian in each village knows that. Mhm, yeah.

I said "most".

Those stupid arguments are SO stupid that anyone can smash them spending 2 seconds by typing in google search request. Stop disgrace yourself.

I'd rather not use Google.

Бля, чел))))

какая ирония!

[ethindp]

This is a horrible "feature". Software should be politically neutral. Given the fact that this library is usually a dependency of a dependency of a dependency of a dependency and so on and so forth, users who see these anti-war sentiments will have absolutely no idea where its coming from. To them it will look like its coming from the website or webapp that they're using, not some library that's buried in the dependency tree somewhere. Did you ever consider that before adding this?

[ilmerainen]

This is a horrible "feature". Software should be politically neutral. Given the fact that this library is usually a dependency of a dependency of a dependency of a dependency and so on and so forth, users who see these anti-war sentiments will have absolutely no idea where its coming from. To them it will look like its coming from the website or webapp that they're using, not some library that's buried in the dependency tree somewhere. Did you ever consider that before adding this?

People's lives are at stake, all this ranting is worth nothing. When the house is on fire, all this abstract talk is not applicable. This is an exceptional case. I bet you can't even imagine what is it like once not to wake up in the morning.

Why are you thinking in the box that "this is right and this is not". There are no right things. Who has the power is right. And I am very proud of the author's act. At least he has tried.

[ethindp]

Ah, yes, the "the ends justify the means" excuse. Sorry, but I don't buy that. When I use your software or library I could care less about your political values. Your software/library does what I want, so I'm going to care about that a lot more than I would about what you politically believe in. Any other user would believe the same. This is not "abstract talk". This is the deliberate weakening of the chain of trust between a user and a developer, by the developer no less. It is not just about power. Power doesn't matter here. This is about the fact that your code should be politically neutral. Nobody who uses your code is going to give a damn about what you believe in politically. But go ahead, force your political beliefs onto all your users and insert malicious code into your software and see what happens. After all, your users totally won't be bothered when they pull in your code and release a project using it and then get complaints that their software is displaying anti-war banners all over the place and they can't figure out why. Yeah, a user totally isn't gonna care about that. Quit with your self-justifications. It does you no good. Perhaps we should have your operating system start displaying anti-war sentiments every time it starts, and we'll also have it lag for 20-30 seconds just to force you to read the whole thing. Oh and there's no bypassing it or anything; you have to sit there and read all of it entirely before you can actually use your computer. Yeah, I'm sure you won't complain about that. At all.