Putin went to war anyway, thinking the other countries would simply overlook his violent aggression. He very, very badly miscalculated the response.

Did he? It's not as if he or anyone else really paid any price for annexing Crimea in 2014. Why would he or anyone else think he wouldn't again be able to nibble off a bit more? I think everyone is pretty surprised by the extent of government & private sector actions against Russia over the current matter.

This is a lesson which needs to be taught earlier, or at least, how to prevent legally minimize losses should a split happen.

The short version is because Amazon really pushes compensation in stock, vs cash, and having a cash limit across the board really makes the stock more incentivizing they think. Clearly though, inflation & competition being what it has been, given the deferred nature of stock, that can be harder.

Odd that, there is no ad hominem in my reply to you, while you resort to "bro" rather than the points raised.

My point is you have to look at the changes no matter what.

No, you don't have to... though it's not a bad idea for someone to do it, ideally a trusted party or within some trusted framework.

Just as you don't have to look at your food being prepared, or how it was harvested and brought to the grocery store or restaurant ... though it's not a bad idea for someone to do it, ideally a trusted party or within some trusted framework.

Just as you don't have to look at the process of say... making a drug or vaccine... though it's not a bad idea for someone to do it, ideally a trusted party or within some trusted framework.

We've orgs like the FDA to ensure certain standards of drugs, the FDA for some parts of food production, as well as state health departments to make sure food prep is safe... and in so much of OSS we have untold number of random projects from some random person in Nebraska with absolutely zero vetting, or official procedures or formal oversight other than caveat emptor.

Don't get me wrong, "caveat emptor" is often wise counsel, regardless of the involvement of bombs... that still doesn't excuse the actions of deliberate saboteurs, though doesn't fully excuse the acts of those who could have done more.

You can't just upgrade and assume the license hasn't changed.

That's not the developers problem though in a big org, that's the lawyers problem if there is a change, and there is an issue about it later.

Stop defending lazy and incompetent engineers who make all our lives harder.

I'm not, I'm just recognizing the complex interconnected systems out there and what exists... you're defending the deranged actions of a bomb maker.

First, do you really want to keep defending an alleged bomb maker who is clearly more deranged than we knew? https://abc7ny.com/suspicious-...

Second, do you have evidence that the license changed in this way for this update that we are discussing?

Third, trying to use the license to provide cover for this behavior is what the author of a certain AIDS virus tried, it didn't work: https://en.wikipedia.org/wiki/...

Even if users are using code illegally, that doesn't justify or excuse this kind of malicious sabotage.

In any case, we're holding this guy (the author) to a higher standard than anyone else in business. We shouldn't.

I disagree. In law like the rest of life, things generally don't happen in a vacuume, they have causes, and even sometimes motivations as well. What the causes & motivations are help dictate how much blame there is.

Causing the death of another person is generally frowned upon, though there is a difference in how we view the planned and deliberate killing of another, vs in the heat of the moment, or accidentally as part of a fight that escalated, or due to a recklessness, or carelessness, or a straight up accident which could not have reasonably been predicted.

Yes, I know, no one died here, not saying anyone did, just using a commonly known area with a graduated scale.

The difference between what this guy did and just about every example citied by others is the actual malice behind it, as well as the telegraphing of it.

Did you not even read TFS?

Yes, I did.

I meant did, because it did happen.

You are right, I missread your comment.

The npm change prevents unpublishing of libraries.

Yes, and I noted that saying: "published projects are much harder to remove"

It does not prevent updating libraries with a malicious variant which is what happened here.

Yup, which is why I said: "It does not prevent updating libraries with a malicious variant which is what happened here."

it would be very hard to show that he "cause[d] the transmission".

No, it's not.

I don't know how much attention you've paid to the whole 'hack back' debate, especially at the legal level. There is a whole contingent of lawyers who argue that even putting a beacon in a Word doc which is designed to call home if it ever leaves your network (and has presumably been stolen) would cross the line into causing the transmission.

The person that ran the package update command would be the one that caused the transmission.

This is similar to older school viruses which didn't exploit a software bug, but human ones. It was the user who double clicked on the file, or clicked the link which executed some code... which eventually saw their system join a botnet, wipe their hard drive, or any number of other malicious things... the unwitting user carried out the seemingly innocent act, which turns out not to be so innocent because of such a trap. It's still the virus author who would be looking at ultimate responsibility.

If that were true, selling broadband with "up to $MANY Gbps" would be illegal

It's a true statement. up to and maybe even including a specific throughput... and no guarantees up to that point.

It's shady AF for an ISP to say they are capible of given speeds and then over provision their network without building it out to support the increased demand... it's still not analogues.

He is not taking it back.

He did, the same was as someone saying "I'm not racist, but .... " is.

He just points out the difference between immoral and illegal.

I'm very aware of the differences between the two concepts, do you have a point?

Open source developers provide their code as it is and without any warranty. It is legal for them to screw up their work if they wish so.

I don't think anyone has an issue with them screwing with their code in their own repo, isolated from the world. It's when they've wired their repo up to NPM and such deliberate messing is done in order to sabotage others that is the difference.

well it isn't.

Would you prefer I use a more typical /. car analogy? smh ... or maybe you support your argument?

you clearly are not acquainted with software engineering,

Feel free to believe whatever falsehoods you want, if it makes you feel better.

but don't stress it, here is a guy who calls himself an "infoSec expert" displaying staggering ignorance about the fact that dependency freeze is an essential and necessary practice, and very specially for security reasons no less. quod erat demonstrandum this very story.

And this appeal to authority is to accomplish what exactly?

The one thing you are correct on is that in an ideal world, all software products would be tested, both on their own and validating external dependencies prior to use/release... which doesn't always happen. People or companies not taking the right/enough security steps may lead to bad things for them (or others)... but that doesn't mean they deserve what occurs or that it absolve the malicious actor.

opinions are free, and i can understand that people feel bad about this action, or think that the other guy is a jerk, and maybe he even is,

So much needless attempts at beating around the bush, so little point.

... but this crap is alarming idiocy and if this guy is really giving any professional advice then he is the real danger here, along with all the morons "trained to update" which got sick from these "apples", because that means a string of bad practices going from irresponsible dependency management to complete lack of elementary automatic testing at the very least.

Idiocy... is largely legal though, and even moral, to a point. You can act a fool all you want across pretty wide range of areas. Others can even point out that you're a fool, tell you you're a fool, even suggest you to stop being a fool for your sake or that of others... however the moment they lay a trap for you which causes any kind of injury, praying on your foolishness... that's when we start to draw a line between acceptable and unacceptable behavior, which is what happened here.

It will be interesting if any of the downstream users of this package take this individual to court over this matter. Yes, his defense is they should have done x, y or z to avoid this... and he's not wrong, though telling the jury that a robbery victim should have locked their doors, or the website should have done better validation to make sure orders couldn't set their own price, or they just happened to be using a password they found on a dump site on other sites to see if they worked and then played around in the account... tend not to work well as defenses.

And what about all the people who took great pains to avoid the 'upgrade' to Windows 10, only to have Microsoft force it on them anyway?

Did Microsoft deliberately and maliciously upgrade them? Or was a bug hit where the efforts made were missed/reset which allowed the upgrade to occure? I don't know, neither do you... and you still conflate the two.

We do know in this case, there was malice.

I'm with CoolDiscoRex on this one - there's a double standard at play and it stinks. Especially given that people PAID Microsoft for the product and got shafted anyway.

Now you're just making excuses. If a bit of code is given away for free under a permissive license or a paid for license is acquired under a less permissive set of terms, the end result is the same: A user using software under a given license. Period. The money that changes hands may be in exchange for certain assurances that one party will offer support, however that is materially unrelated to this case. Selling apples, giving away free apples or knowingly giving away laxative coated apples to unsuspecting consumers are not the same things. Two are fine, the third is malicious and a major violation of trust, and in many jurisdictions, the law as well.

I agree that Squires did a shitty thing

Good!

- but

Then you take it all back...

it's no worse than the shit that major companies get away with every single day.

By playing a game of whataboutism by trying to blame others for things unrelated to this situation/case. Why not focus on this independently? If/when some 'shit' a major company does comes up, address that directly, unrelated to this?

And given that those companies charge money and receive corporate welfare - which Squires doesn't - they should be held to a higher standard. The corollary of that is that Marak and other FOSS developers are free to adhere to a lower standard.

Again, excuses, creating double standards yourself to protest what you claim (incorrectly) are double standards.

The fact that you started your 'question' with a 'so' suggests you don't actually care about my answer, you seem to want to justify bad behavior you disagree with, while pointing to other bad behavior (which isn't actually equivalent).

do you favor a law

No.

that prevents software authors from making changes to said code that may behave in ways users do not like, or which may break functionality?

Laws don't work that way. Laws don't 'prevent' anything, they can however disincentivize certain behaviors.

Even if there was some sort of law which applied to this, there is a bit of a difference between feature changes with *may* break functionality and malicious changes. Kind like the difference between regular apples and applies sprinkled with laxatives... the very example I used above.

What about functionality that Microsoft / Apple removes in one of their many updates?

Still not equivalent. There is a difference between Microsoft / Apple deciding that a certain feature isn't widely used and no longer worth the costs to maintain/support and rage quitting and taking their ball home because they didn't get their way from people who are complying with the license but who aren't giving even more $ to.

More over, most vendors like that are pretty up front as to which features are going to be removed, as a warning to those who may want to keep it and so should take steps to avoid updates.

Many of these are not in the users interests,

Says who? How many users? Again... depends on the why.

but the nearly-universal narrative is that they have every right to do it, and if you donâ(TM)t like it, use something else.

Yup, and it's still not equivalent.

What about when a phone manufacturer bricks you phone for rooting it?

Was that 'feature' discoverable prior to purchase? Even being able to ask that question again, demonstrates you are not choosing equivalent.

Besides, I am unaware of any companies which deliberately brick phones after they are rooted. Depending on the situation, it may actually be called for.

We tend to be outraged when a powerless plebe adopts the tactics of the rich and powerful. Much more so than we are with the rich and powerful themselves.

Except as demonstrated here, the 'powerless pleb' looks to have had far more power than you will admit. What that 'pleb' did was out of spite and malice, and not for any other reason which those 'rich and powerful' can more legitimately point to.

why did he take all those open source and community projects down with him

Do you mean *didn't*?

After the lpad incident, npm made some changes that published projects are much harder to remove to avoid chaos like what happened in 2016. I don't think we'll see enough eyes on changes to prevent something like this again though.