As issues of fairness and sustainability boil over, a developer sabotages his open-source code in protest

A developer of open-source libraries used in many popular projects, such as cloud-based applications, was so angry about the demands on volunteers like himself that he corrupted his own code to make a point yesterday.

As a result, thousands of projects ended up breaking, with users of the libraries called “colors” and “faker” seeing gibberish on screen instead of the output they had expected, reported Bleeping Computer.

The mischief by a developer called Marak Squires appears to be targeted at the many commercial entities that build their apps and infrastructure with the open-source foundation maintained by volunteers but which do not contribute any code back or help solve problems when they arise.

NPM, which hosted the code, has since got an older version of the software back up while Github, another site hosting open-source code, has suspended the developer’s account.

By now, you can imagine the controversy this has brought about. While some fellow open-source developers have backed Squires, others lambasted him for deliberating sabotaging not just his own code but a central tenet of open-source software.

Instead of causing disruption, could he not have made a statement by stopping work on the software altogether, thus forcing commercial parties to fork the project or take the code and develop it themselves?

That said, the burden of maintaining open-source software, like fixing bugs and patching up vulnerabilities, has caused much unhappiness to many developers who are often volunteers.

When vulnerabilities over the commonly used Log4j software utility were found over the holiday period recently, the open-source developers had to scramble to fix the problem on their own free time.

This has led to accusations of large companies, which hire teams of IT experts themselves, “exploiting” the work of volunteers who do not get paid for their efforts.

Whether you agree with that, the recent episodes also raise questions of risk and sustainability.

Is it safe to base so much of one’s digital infrastructure on the work of volunteers without learning about it or contributing anything in return?

Unsurprisingly, the use of open-source components in apps has grown, from an average of 84 components per app in 2016 to 528 in 2020, according to a report by Synopsys, which specialises in chip design and application security.

Correspondingly, the number of vulnerabilities has grown as well, it found. Eighty-four per cent of open-source codebases had at least one vulnerability, with an average of 158 per codebase, according to the study of 1,500 open-source codebases across 17 industries.

It is time that businesses took a more active interest in the foundational code they use every day, instead of trusting that things will get fixed automatically by an enthusiastic community.

The open-source idea is one premised on transparency and ground-up, crowdsourced efforts to create the best, most secure code.

However, if that effort continually comes from unpaid, overworked people who are taken for granted, then the quality of the output will surely suffer.

We know what happens when disgruntled employees leave. Projects are stuck in limbo and work gets disrupted.

So, why should it be a surprise that the most important software that underpins so much of today’s digital infrastructure goes bonkers when the people who work tirelessly to maintain it are unappreciated?