Skip to content

Instantly share code, notes, and snippets.

@dominictarr
Created November 26, 2018 22:39
Show Gist options
  • Save dominictarr/9fd9c1024c94592bc7268d36b8d83b3a to your computer and use it in GitHub Desktop.
Save dominictarr/9fd9c1024c94592bc7268d36b8d83b3a to your computer and use it in GitHub Desktop.
statement on event-stream compromise

Hey everyone - this is not just a one off thing, there are likely to be many other modules in your dependency trees that are now a burden to their authors. I didn't create this code for altruistic motivations, I created it for fun. I was learning, and learning is fun. I gave it away because it was easy to do so, and because sharing helps learning too. I think most of the small modules on npm were created for reasons like this. However, that was a long time ago. I've since moved on from this module and moved on from that thing too and in the process of moving on from that as well. I've written way better modules than this, the internet just hasn't fully caught up.

@broros

otherwise why would he hand over a popular package to a stranger?

If it's not fun anymore, you get literally nothing from maintaining a popular package.

One time, I was working as a dishwasher in a resturant, and I made the mistake of being too competent, and I got promoted to cook. This was only a 50 cents an hour pay rise, but massively more responsibility. It didn't really feel worth it. Writing a popular module like this is like that times a million, and the pay rise is zero.

I've shared publish rights with other people before. Of course, If I had realized they had a malicious intent I wouldn't have, but at the time it looked like someone who was actually trying to help me. Since the early days of node/npm, sharing commit access/publish rights, with other contributors was a widespread community practice. https://felixge.de/2013/03/11/the-pull-request-hack.html open source is driven by sharing! It's great! it worked really well before bitcoin got popular.

So right now, we are in a weird valley where you have a bunch of dependencies that are "maintained" by someone who's lost interest, or is even starting to burnout, and that they no longer use themselves. You can easily share the code, but no one wants to share the responsibility for maintaining that code. Like a module is like a piece of digital property, a right that can be transferred, but you don't get any benefit owning it, like being able to sell or rent it, however you still retain the responsibility.

I see two strong solutions to this problem...

  1. Pay the maintainers!! Only depend on modules that you know are definitely maintained!
  2. When you depend on something, you should take part in maintaining it.

Personally, I prefer the second, but the first probably has it's place. These arn't really mutually exclusive, anyway.

As to this particular issue, I have emailed npm support and suggested that they give the module to @FallingSnow and ar @XhmikosR

@Dealscribs
Copy link

Man what a terrible situation, I saw many open source maintainers asking for help on projects. No doubt.

@daniaruba
Copy link

This game is superior to wordle and wordle-like games absurdle

@joeroot909
Copy link

As everyone who has a connection with the gaming world knows that Roblox is a heaven of games. Here, you can get a number of well-known and user-created games. However, Verdant Moon Trello these games are entertaining, energetic, and attractive to play.

@irisharaba
Copy link

Many open-source developers have been posting requests for assistance with project automation and functional testing.
snow rider 3d

@eckerdj7
Copy link

Welp, I have been getting emails for this thread for some time now and finally decided to unsubscribe, but got curious about what it was. I didn't even remember I posted on this and then found this reply:

Again stop impose your moral to other people ! You are totally wrong. He didn't do anything wrong. Also, he didn't defend himself, he just say fact. We are not in a trial.

@Stargateur The irony of this statement and the fact you totally missed it is hilarious. Telling me I am "totally wrong" and to "stop impos[ing]" my morals, while you are doing exactly that. I was posting my opinion and you're also allowed to have yours. But I hope you consider taking a different approach in the future.

Also, the point of making a comparison between two things like I did is to draw parallels that help concepts to be understood. I wasn't saying code is a child. The point was that sometimes we have social and civic responsibilities that we didn't ask for. The MIT license is great and all, but I wasn't talking about legal responsibility. Just because someone slaps an MIT license on some code and shares it online, doesn't mean they can put malware in it and not have consequences. I'm not saying he did that. Just making another comparison.

Not at all, again, you understand nothing

I don't understand most things, I'll give you that. But I like to think I understand some things pretty well. Like how to talk to random strangers on the internet. Maybe try being more respectful and compassionate to others? I'm not sure why you felt the need to respond to my comments in the way you did, but I genuinely hope you don't treat those you interact with in real life in this way.

@caseyloomis
Copy link

@geometry dash lite talk with me: "Many developers create open-source modules for personal enjoyment and learning. Sharing these modules helps others and fosters further learning."

@sportsurges
Copy link

This is so a fantastic article. Thanks for sharing this informative article. Sports Surge Sport

@Kira1-afk
Copy link

Sniper 3D Mod APK offers unlimited money, unlocked weapons, and ad-free gameplay, enhancing your shooting experience with faster upgrades and thrilling missions without restrictions.

@harrydaily25
Copy link

Experience addictive rhythm platforming in Geometry Dash syncing jumps to dynamic tracks mastering hazard-filled levels and chasing high-score glory.

@Liamjohn345
Copy link

The event-stream compromise involved a malicious actor injecting harmful gbwhatsapp apk code into a widely used JavaScript library. The attacker gained control by offering to maintain the project, later adding malware targeting cryptocurrency wallets. This incident highlighted major security risks in open-source ecosystems, emphasizing the need for vigilant code review and trust.

@ShellShockersionline
Copy link

Totally agree with the sentiment here. Maintaining a popular module can quickly become more of a burden than a reward, especially when you're not actively using it anymore. It’s like holding onto a project that you’ve outgrown, but still feeling responsible for its upkeep. The analogy to getting promoted to cook with a small pay bump but a massive increase in responsibility hits hard. That said, the community model of sharing and maintaining packages is really what makes open-source great—just not sustainable if there's no incentive to keep it going.

I think the idea of paying maintainers is a step in the right direction, and the more people who take ownership of their dependencies, the better. In the case of Geometry Dash Lite (or any other popular but unmaintained modules), it’s clear that having fresh, motivated contributors is key to moving things forward. Hopefully, the transition of responsibility to the right folks (like @FallingSnow and @XhmikosR) will help out and keep things in a better spot.

@Sniper3dgame
Copy link

Nice perspective building small projects for fun is how many of us learn. The same applies to game fans and creators: experimenting with game design or creating legal mods/tools for official SDKs sharpens skills and can lead to better, community-friendly tools. For players of titles like Sniper 3D Apk (official releases), supporting developers and contributing constructive feedback helps the whole ecosystem grow and keeps things safe for everyone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment