What is open-source software (OSS)?
In the context of software development, open-source refers to a set of code (a.k.a. a software) that is open to the public to be seen, edited and/or shared[1]. This implies that when someone downloads and uses an open-source software(OSS), the user trusts that it is reliable.
One beauty of OSS is transparency; anyone can learn and improve their programming skills by viewing and working with it. Many believe it is also better than other proprietary software as more viewers and contributors warrant better chances of fixing errors and developing upgrades. However, the reality is that not many are able to consistently commit to maintaining their OSS projects. Especially, when the scale is enormous and without compensation or support. Although there are ways OSS developers can gain financial support through sponsorships like on GitHub and crowd funding like Buy Me A Coffee, maintenance contracts and being compensated properly by companies for their service is rare[2].
Npm libraries, ‘colors’ and ‘faker’ compromised by its creator?
In the past years there have been several cases in which OSS developers are tasked by companies, who use their projects, to help them with a problem without compensation or even support in maintenance[2]. More recently, there is news about the npm packages, specifically the utilities ‘colors’ and ‘faker’ being compromised as some users realized it generates some unusual codes [2],[3]. Speculation is that, Marak Squires, the creator of those utilities, intentionally altered the source code as a sign of protest to companies who exploit OSS developers[2][3]. So as a result, projects that rely on those npm packages were affected including the popular Amazon’s Cloud Development Kit, another OSS[2].
Arising from this, is the issue of ethics in OSS, specifically integrity, which is part of the security triad discussed in class. Like mentioned earlier, one essence of open-source software is the freedom to improve the program by anyone. The free software foundation further specifies this condition by stating that the improvement should benefit the whole community [4]. Though it’s clear that motivations of developing OSS can vary, over the years, OSS has gained favorability mostly by staying reliable and it is its community who ensures that.
So going back to the npm issue, if the creator did indeed alter his creation as a protest, are his actions excusable? Is it ethically right to make changes in your own creation knowing that other projects rely on it? It is tragic that programmers dedicate their time and energy developing these codes and share them for free while companies make use of their work to make millions of profit and then proceed to demand help when problems arise. So even though Squire’s supposed actions are understandable and it brings light to the sad byproduct of things being ‘open’, it has to be said that its consequence leads to a question of OSS’s reliability.
So what should be done? It is definite that proper compensation should be established; if not for the product at least for the service. Doing so keeps the enthusiasm of OSS developers as it shows respect to their creation and their efforts. This way developers who mean well in developing OSS projects would not get tempted in tampering with their own code or even taking it down.
Now, besides the creator being able to modify their own creation, part of OSS principle is that anyone can contribute. So, then how are OSS projects being kept secure from malicious modifications (besides being transparent)?
(Feel free to write your response as a comment below. 🙂 )
References:
[0] B. Taubenblatt. “The case for open source software,” mcgilltribune.com https://www.mcgilltribune.com/sci-tech/the-case-for-open-source-software-011017/ (accessed on January 19, 2022)
[1] “What is open source?,” opensource.com. https://opensource.com/resources/what-open-source#:~:text=Some%20people%20prefer%20open%20source,original%20authors%20might%20have%20missed. (accessed on: January 18, 2022)
[2] O. Williams. “Open source developers, who work for free, are discovering they have power,” techcrunch.com. https://techcrunch.com/2022/01/18/open-source-developers-who-work-for-free-are-discovering-they-have-power/ (accessed on: January 18, 2022)
[3] H. Solomon. “Protest by open source developer raises questions about compensation and ethics,” itworldcanada.com. https://www.itworldcanada.com/article/protest-by-open-source-developer-raises-questions-about-compensation-and-ethics/470489 (accessed on: January 18, 2022)
[4] F.S. Grodzinsky et.al., “Ethical Issues in Open Source Software,” researchgate.net. https://www.researchgate.net/publication/241209540_Ethical_issues_in_open_source_software
More related readings, if interested:
Nice post! I think when it comes to OSS, it should be the responsibility of anyone who uses the software to view the source code and determine if there is anything malicious hidden inside. Of course this is also time consuming in most cases, so many people do not do this and instead trust the communities behind the software to be safe. I also wonder about how likely it could be that an open-source project has malicious code written into it, or at the very least has severe exploitable flaws.
I think it is a very interesting topic you brought up in your post. OSS has been a huge benefit in the online world yet there are those who exploit the work of others to make profits. I think there should be some sort of patent system in which the authors are entitled to certain financial contributions for their work. This would be a utilitarian approach to the problem and could yield numerous benefits to the online community. Also, I like how the other commenter brought up the idea of injecting malicious code because it can be devastating to big technology companies to have malware running in their product without their knowledge. I doubt there is much being done to promote equality in the OSS field but I am sure problems like these will bring up the inevitable question on how to promote security and equality.
Hey,
Good post! As someone who uses Node.js a lot in my projects I didn’t know about the npm packages being used this way. Generally OSS projects are only maintained from malicious changes through elbow grease. There is a core team that is in charge of code reviews, and testing new code bases before launching a new update. It takes a lot of time to maintain and update dependencies. The ethical dilemma you mentioned with the npm packages I think makes no sense to the developer in my eyes. The developer I am assuming is pro OSS yet they are protesting the usage of OSS services. Even if these large corporations with resources significantly higher than OSS developers are using the package without contributing in any form it still is in line with the core concept of OSS. That is, developing software that is not restricted. While it is unfair I think the core concepts are more important than this unfairness. I think eventually most corporations will see the benefit of OSS and supporting the space (Microsoft comes to mind).
Hey, Amazing Post! OSS has been a safe place for developers to write their code and viewers could use that to improve or learn their coding skills. But as you said there are still people who would misuse the code created by others and its against the ethics of OSS, I believe that there should be some sort of protection against the source code and if people want to view it or access it there should be some benefits to the original creator, in that way we could protect the online code and it can be used in a useful way rather than malicious way and the original creator would also be benefitted and even if someone use their code the original creator should be cited.
OSS is truly a double sided sword. There are benefits such as the idea of transparency and the ability to have communities help maintain projects. However, these pros can also double as cons like in the case of University of Minnesota committing malicious code to the linux project, which went unnoticed by many since most people blindly trust in OSS since “transparency”. I don’t see the issues related to OSS talked about as often so it’s refreshing to see articles such as yours highlighting them.
This was a pretty interesting read! For me, the concept of OSS sounds like a charity to the community. You bring up an interesting case with compensation for OSS developers. I believe there should be compensation in place for when their work is used such that they may receive a percentage of the profits. It does not sound fair when a company is making millions using the tools of a developer who gets nothing in return. However, I am not sure if we would call it OSS at that point.
Very informative read! I have always viewed OSS as very beneficial in general, but it never crossed my mind that issues like these could arise. I do believe that OSS should be available to anyone, but I also agree that the creation and sharing of a developer’s work should be done by their own free will (as they mostly are). This should include modifications that may or may not be needed. It should not be the case that a developer is forced to do something against their will. Although something may be nice to do, it does not mean someone should be obligated to follow through with it.
Hey!
Very well-written blog! I would agree that OSS is used by companies in all industries and of all sizes. It’s surprising to know how much of the organization’s software relies on open source components. I would argue on the point that anyone can improve their programming skills by just working on these codes as I believe that there should be a kind of protection on these source codes. Overall, That was a great post to read!
Hey, this was a really informative post! I agree with your point that one can learn to code and improve their skillset. This is really a legit reason and I guess one has to get hang of this open-source and then it becomes really easy to use it. They are fairly simple as compared to iOS, windows, or any android phone. I think there should be some kind of protection or just some registration system so if someone takes or tries to read/edit the code, then the name and changes done to the file should be highlighted. I know this is not the perfect way to solve the problem but at least it prevents anyone to copy and misuse the code. All other thoughts are welcome. Although I would say this was a really nice post. I also wanted to write about open source code only lol.
Good post!
When the things are related to the profits, then they might become worse. In my opinion, the invention and maintenance of OSS require the authors and other associated programming developers to have some kind of morals and faiths, they should not pay too much attention to what they can earn from their OSS. However, the companies who have earned profits from those OSSs should pay the authors and maintainers of the OSSs for using their OSSs, it is like dividing dividends. But, the owners of those companies are always not willing to “share” their profits with their workers, this is about the contradiction of Capitalism. Thus, for solving the problem mentioned in your blog, I think the related global organizations should try to make some rules and policies to restrict the behaviours of programmers in society.
Nice post! Open-source software is software with source code that anyone can inspect, modify, and enhance. But some people profit from the work of others. I agree with your point. All industries and companies of all sizes are using OSS. I think there should be some kind of protection system or patent system in which authors are entitled to a certain economic contribution to their work. It prevents anyone from copying and misusing the code if someone takes or tries to read/edit the code.