> It was not injecting harmful code onto the machine, it was not an "attack" on anything, in any real sense. I feel all the media is doing so far is raking the maintainer over a fire, instead of asking the question of how did we get here in the first place? Why would a maintainer feel they need to take actions like this? What are they trying to achieve?
> Instead of talking about the role of maintainers, consumers, and what to do about the state of open source software and its longevity, we are instead using this moment to go after the maintainer as if they were doing the equivalent of using their npm packages to inject actual malicious, harmful code on the consumer machines, like a cryptominer.
I agree with all of your points. I would be more sympathetic to the backlash if those affected were paying license holders, but that's not what happened.
It is a privilege to use someone's hobby project that you didn't write for free and with no strings attached.
>It is a privilege to use someone's hobby project that you didn't write for free and with no strings attached.
It isn't a privilege, as far as FOSS is concerned, it's a fundamental right. Whether one pays or not is irrelevant, that code was given to the community and it belongs to the community. No one, not even the author or project maintainer, has the right to vandalize community property regardless of their motives.
FOSS doesn't mean code is in the public domain, nor does it mean that the code is held in a public trust. It is very much the property of copyright holder. If the community feels this way, then they could have done the work to develop, maintain and distribute the product themselves. They didn't do that, though. They chose to depend on the labor of someone who was not compensated for their time or work, which is a privilege. No one is entitled to the developer's time or labor.
>It is very much the property of copyright holder.
And FOSS licenses purposely give away many, if not all, rights typically granted by copyright. If I buy a book and I have the same rights as the author to rewrite and republish that book, and even put my name on it, even to make money on it, then it can be correctly described as being owned by the community rather than owned by the author.
> They chose to depend on the labor of someone who was not compensated for their time or work, which is a privilege.
The developer chose to give away their labor for free, they chose to forego compensation. The FOSS model is clear in considering the ability of the end user to read, modify and redistribute code without limitation to be rights, not privileges. Whether a developer can find a way to make money is orthogonal and incidental. That's a privilege defined by contractual obligation, not a right.
You can have FOSS or you can require developers be compensated for their efforts, but you can't have both. These two concepts are mutually opposed.
>No one is entitled to the developer's time or labor.
No one is entitled to make demands of the developer, but likewise, the developer isn't entitled to make demands of anyone else. As far as the fruits of their labors go, everyone is entitled to whatever they choose to give. That's the whole point of FOSS.
But let's not pretend the original maintainer did all of the work or owned all of the copyright. There were a ton of contributors to color, and some dude actually had more lines of code edited than the original maintainer:
https://github.com/Marak/colors.js/commits/master
and faker.js seems to be more or less a port of a ruby library which was a port of a perl library.
> Instead of talking about the role of maintainers, consumers, and what to do about the state of open source software and its longevity, we are instead using this moment to go after the maintainer as if they were doing the equivalent of using their npm packages to inject actual malicious, harmful code on the consumer machines, like a cryptominer.
I agree with all of your points. I would be more sympathetic to the backlash if those affected were paying license holders, but that's not what happened.
It is a privilege to use someone's hobby project that you didn't write for free and with no strings attached.