A developer sabotages his successful open source projects on GitHub to annoy large companies who use his work for free


Github has been controversial in recent hours. An open source developer, Marak Squires or Marak on Twitter, He has denounced that the platform has closed his accounts and projects (hundreds, according to him), after switching two libraries created by himself to a different version. Changed libraries are used by many people and are called ‘colors’ and ‘faker’.

Now Marak has a version of events and the platform a very different one. And other voices have been raised if Github users they are used as employees by the platform and the discussion on software, proprietary and open source has been reopened. Marak Squires himself says that he no longer wants to support platforms like this with his work done for free. Remember that Github is owned by Microsoft.

With this controversy, the developer also wanted to put on the table the name of Aaron Schwartz, one of the creators of Reddit, RSS and Creative Commons and promoter of various initiatives so that the Internet was a space to share more open license files. He committed suicide when he was very young after having been subjected to a very strong judicial persecution. Marak changed the readme file for faker.js with a new description: “What really happened to Aaron Swartz?”

Swapping two widely used packages on Github


The applications that use the popular open source libraries ‘colors’ and ‘faker’ They happened last week to suffer problems: they printed inconsistent data and it broke. At first it appeared that the libraries in npm (the default package management system for Node.js, which has become the hub of the JavaScript code exchange and is also owned by Microsoft), had been compromised.

But then it turned out that the developer of these two libraries, Marak Squires, had introduced a “bad commit” (a file review on GitHub, but despite the name given by various media, it did not infect other files or steal data, just was a message change) in colors.js that added “a new american flag module” and that released faker.js version 6.6.6, which also led to the same issues. Sabotaged versions make applications infinitely emit strange letters and symbols, starting with three lines of text that say “LIBERTY LIBERTY LIBERTY”.

Liberty github

It turned out that the developer of these libraries intentionally wanted to affect the thousands of projects that depend on ‘colors’ and ‘faker’. It should be said that the colors library receives more than 20 million weekly downloads only in npm and has almost 19,000 projects that depend on it. For its part, faker receives more than 2.8 million weekly downloads on npm and has more than 2,500 projects and applications that depend on its code.

Following this, the creator of these libraries, Marak, announced that “Github has suspended my access to all public and private projects. I have hundreds of projects. ”

According to Bleeping Computer, it seems that color.js has been updated to a working version, faker.js still had the problem (which can be fixed by downloading an older version, 5.5.3).

The developer’s protest

Firefox Ay630drbyz

Marak Squires, the developer, purposely corrupted the two open source libraries on GitHub in protest. What the developer wanted with this, according to what is known so far, has been to protest against megacorporations and commercial consumers of open source projects who trust and widely use community and free software but who, according to the developer, then “do not give anything back to the community.”

In November 2020, Marak warned via a Github post, and archived at web.archive.org, that already would not support large corporations with its “free work” and that commercial entities should consider compensating the developer with a “six-figure” annual salary.

“I will no longer support Fortune 500 companies (or smaller ones) with my free work. There is not much more to say,” was what the developer had warned more than a year ago.

Controversy over Github’s reaction


The controversy does not end here, the fact that Github blocked the developer from accessing its “hundreds” of projects, has led to another dispute on social networks: does the platform treat its users, who give their work for free to others, as if they were employees?

That is to say, a developer can share their creationsBut it seems that you cannot easily modify or delete them without suffering repercussions for doing so. The Verge has contacted GitHub to ask for an explanation, but there are no statements at this time.

Here it should be remembered that although the open source developer shares their creations without charging, Github is owned by Microsoft. The Redmond company paid in 2018 $ 7.5 billion for the platform that allows developers to host their code in the cloud, using the system that was created by Linus Torvalds (the founder of Linux) in 2005. And this led to a lot of dispute and dissatisfaction about the independence of this service.

Microsoft itself acquired npm in 2020 to integrate it into GitHub and make the community more attractive to JavaScript developers.

As we already published in Genbeta at that time, for some developers this acquisition means that Microsoft became the owner of practically your entire work environment to write code in JavaScript, if you add GitHub with npm and add TypScript and Visual Studio Code. Others have even commented that in practice Microsoft almost happens to own JavaScript.


Please enter your comment!
Please enter your name here