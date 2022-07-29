It has been seen as a growing trend this year that developers deliberately sabotage their own software libraries as a means of protest, turning the software into “protestware”. Or that is how this practice has been baptized.

A developer may, for whatever reason, change your mind and do what you want with your code open source. And so go from having software available to other people, to change it, modify it or delete it for example, which can result in other projects that used this software being modified or damaged.

For example, a few weeks ago, the developer of the Python atomicwrites library, Markus Unterwaditzer, temporarily removed your code from the popular PyPI code registry (Python Package Index, which is the official software repository for third-party applications in the Python programming language)) after the site said it would require two-factor authentication for maintainers of certain projects.

We’ve begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them. To ensure that these maintainers can use strong 2FA methods, we’re also distributing 4000 hardware security keys!https://t.co/gcCNWSqBcU — Python Package Index (@pypi) July 8, 2022

Unterwaditzer’s atomicwrites project fit the criteria, and the account for this Python library was enrolled in two-factor authentication. Unterwaditzer described in a post that this was “an annoying move and entitled to ensure SOC2 compliance for a handful of companies (at the expense of my free time)” that depend on their code.

Markus Unterwaditzer decided to remove his code from the registry after receiving an email from PyPI notifying him that his project now requires two-factor authentication. After deleting it, he re-uploaded the code to be a new project that no longer needs this form of two-factor authentication. Unterwaditzer’s atomicwrites project is downloaded more than 6 million times in a month.

“hi, we’ve solved supply chain security by enforcing security policies on your free labor” — wtf?? pic.twitter.com/oLmxgLmjyr — Markus Unterwaditzer (@untitaker) July 8, 2022

At the beginning of this year there was also a very famous case. An open source developer, Marak Squires or Marak on Twitter, was denouncing that the GitHub platform had shut down his accounts and projects (hundreds, according to him), after changing two self-created libraries to a different version. The changed libraries were used by many people and are called ‘colors’ and ‘faker’.

At first it seemed that the libraries in npm (the default package management system for Node.js, which has become in the center of the JavaScript code exchange and also owned by Microsoft)They had been compromised.

But then it turned out that the developer of these two libraries, Marak Squires, had introduced an “evil commit”. It turned out that the developer of these libraries intentionally wanted to affect the thousands of projects that depend on ‘colors’ and ‘faker’. What the developer wanted with this was to protest against mega-corporations and commercial consumers of open source projects who widely trust and use free and community software but, according to the developer, then “give nothing back to the community”.

Some compared this to another 2016 incident that briefly broke much of the internet after the developer of the project will delete its widely used code in protest. Developer Azer Koçulu had a trademark issue with the Kik messaging app because his npm package was called “kik”. After npm sided with Kik in the dispute, Koçulu removed all of his code – 273 modules in total, including the hugely popular Left-Pad library – from the npm registry.

At that time, the popular package of left-pad had amassed over 15 million downloads, and even today the library continues to be downloaded millions of times a week. So, in March 2016, developers all over the world were in trouble, as their projects broke because the left-pad component their apps depended on could no longer be found.

Another case this year dates from last spring: in March 2022, weeks after Russian troops entered Ukrainian territory, the popular node-ipc npm project -downloaded more than a million times a week- began wiping the machines of suspected Russian and Belarusian developers. The developer of the project, Brandon Nozaki Miller, allegedly sabotaged the code to corrupt the computers it was installed on.