Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What he did was actively malicious. There was ill-will behind the actions. He did it for the purpose of interrupting a lot of stuff that was working, simply to make some sort of statement. It was an attack, by ALMOST any definition. The fact that it was a very benign attack with very few real consequences, doesn't make it less of what it was—an attack.


He did not force anyone to update the package. They did that without looking at it. He no longer wanted his work to be disturbed. You may not agree with how he did it but calling it an attack is completely ridiculous.

These comments on HN are sending a pretty clear message out... don't open source anything. It is really really unfortunate.


No one expects a maintainer to purposely break their project. If he wanted to end it, he should have just sent a goodbye message signaling the end of his involvement with maintenance. This has been done many times before without incident. If he wanted to be paid, he should have either picked the appropriate license for his software from the start, or just changed it for future versions. The latter has also been done before with SugarCRM being one example

To be fair, Marak seems to be mentally unwell right now, which helps explain but doesn't condone his behavior

https://abc7ny.com/suspicious-package-queens-astoria-fire/64...


> No one expects a maintainer to purposely break their project.

If you're using a 3rd party dependency, especially one you aren't paying for, you should expect it to break or disappear at any time.


Falling into disrepair, or not being maintained due to various valid reasons: yes. This happens all the time.

Some asshole maliciously breaking your stuff: no.

I do not use either colorsjs or fakerjs. I was close since I used the Ruby version of faker that Marak ported into nodejs as fakerjs.


This is so ass-backwards and you're practically twisting yourself over backwards a dozen times to somehow try to argue that this wasn't malicious. He basically poisoned the library, and you're blaming all the people who got poisoned because "they didn't fully inspect the contents of the code".


So do you disagree with the idea that it is his library?

If you agree that this is his library, do you believe what he did is different than a company changing their public API or deprecating them without any notice?


It’s deliberate sabotage and shipped as a routine update. If he’d walked away or made a breaking change in a major release, nobody would expect more.

Similarly, if it was a service everyone understands that those require money to operate but there’s no analogous reason to tell people to upgrade to deliberately broken code.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: