Comment by michaelmrose
7 years ago
You think its disgustingly douchey for people to be dismayed that software from a trustworthy dev was turned over to someone who turned it into malware?
The dev isn't responsible for the giant mound of stupid that is npm but we all have to take the world as we find it or fix it.
In the context of the world as it is projects deps having deps having deps where the practical protection against a developers machine getting pwned and eventually millions of users getting pwned is more or less developers checking to ascertain that a given library is bob who works for google and not lame hacker number 2388 its poorly considered to hand over libraries to people you have no reason to suppose are trustworthy. A reasonable person could suppose that might not end well for a multitude of projects where 182 deps of deps of deps aren't vetted again per point release because in practical fact its impractical to do so while it is very practical for individual authors to not transfer control of names and publish info about their authorship.
Unlike never updating or expecting individual orgs to vet 182 deps written by anon people with every bump so a reasonable person ought to do their best to make the workflow that might have some hope of working work.
If you didn't want ANY responsibility whatsoever you could have not published it globally.
Anyone who imagines that responsibility is merely transcriptional that it only attaches when money changes hands has literally missed the majority of human civilization including the more recent parts where people that give away free food are still expected to wash their hands, get food handlers cards, practice food safety, pass inspections etc. You aren't required to provide a vegan or kosher option or even make good food but you can't behave maliciously or negligently.
Given how projects are actually used by virtually everyone authors actions appear negligent. Given the hypothetical bad actually already happened it appears that judgement is irrefutable.
You are your brothers keeper whether you want to be or not. Software isn't special it works like every other civilized endeavor. Wash your hands and don't scratch your ass please.
In the context I work, I expect external software to be audited when incorporated into a project. It should be a significant decision backed by clear rationale to depend on someone else’s code not simply a convenience because we’re all lazy devs. I review diffs when updating library versions and guide people to prefer writing in-house solutions over including pop-software libraries. I hold my team accountable for the software they produce. I don’t disagree that everything works better when we all play nice, but I also don’t agree with deflecting the blame when your software is compromised because it doesn’t actually solve the problem and allows the same poor habits to continue unchecked. If you don’t understand a dependency enough to implement it yourself were it to disappear or break, you shouldn’t be using it.