Policy on changes to / deletes of open source projects used by Microsoft or GitHub
elaine-jackson opened this issue ยท 16 comments
According to the developer of FakerJS on a thread of Twitter (https://twitter.com/marak/status/1479200803948830724). They pushed an update to NPM and GitHub removing all functionality of their project (Commit tree purged and bad NPM update pushed). GitHub and by extension Microsoft's policy on developers deleting their projects is unclear.
Update: The Twitter thread in question was not entirely truthful and misleading. Bad code got pushed vs a simple delete. Things were explained that I've mentioned in a comment #513 (comment) I've updated the wording of this post as well.
Another update: This comment explains abuse of GitHub specifically #513 (comment)
GitHub and Microsoft's policy on developers making changes to or deleting open source projects that people on GitHub depend on is unclear. A user pushed adverse code to NPM (which got yanked) and used git force push functionality to delete a repo. They were banned from GitHub and presumably NPM as well.
In general GitHub has taken a light-touch when it comes to dual-use content. (See https://docs.github.com/en/github/site-policy/github-community-guidelines#active-malware-or-exploits on active malware or exploits).
Is your behavior on GitHub and NPM linked now. What are the actual terms and community guidelines that apply to this situation.
A site policy, that people agree to by using GitHub is necessary to set rules on what maintainers can and can't do to popular NPM packages.
It should answer the following questions:
- Is using Git Force Push (
git push --force) to purge a commit tree of a popular open source project allowed - This may be more of an NPM policy but are you allowed to delete a package from NPM and disable future downloads by pushing an update. What are the rules on GitHub Package Registry
- Do special rules apply if Microsoft or GitHub uses your Open Source NPM Package? Do I have additional responsibilities as a maintainer? Can we opt out of Microsoft or GitHub using our package if we don't want to follow or face liability if something goes wrong?
- If you break the rules on NPM, are you also banned from GitHub?
Packages and releases on npmjs can not be deleted anymore (after 24 hours and when there are more than 100 weekly downloads afar) since the left-pad drama.
Currently the community tries to pin to a release, which is ok.
git push -f is a normal feature of git and totally fine.
Is using Git Force Push (git push --force) to purge a commit tree of a popular open source project allowed
Sure. Except you are working on some project where you have signed some contributor agreement / CLA which does not allow this and you are not the owner.
Do special rules apply if Microsoft or GitHub uses your Open Source NPM Package? Do I have additional responsibilities as a maintainer
That depends on the license (MIT, GPL, ...) that you choose.
Besides this, you have accepted and probably read the terms of service of both platforms. Releasing malware would be a valid reason to take the access - the npmjs released security-packages (placeholder) or unpublished releases in such cases.
Imo, not being able to delete your own project is a violation of trademark, even under viral licenses. Even though the code must be shared, the trademark owner has every right to disassociate the codebase from that name and therefore delete the package/repo.
@noway you can delete repos as owner on github.com whenever you want. npmjs is a totally different story. That was changed due to left-pad.
@noway see also
https://docs.npmjs.com/unpublishing-packages-from-the-registry#unpublishing-a-package
https://docs.npmjs.com/unpublishing-packages-from-the-registry#how-to-unpublish
https://www.npmjs.com/policies/unpublish
As a package owner or collaborator, if your package has no dependents, you can permanently remove it from the npm registry by using the CLI. You can unpublish within 72 hours of the initial publish; beyond 72 hours, you can still unpublish your package if it meets certain criteria.
These criteria are set to avoid damaging the JavaScript package ecosystem. If you cannot unpublish your package, you can deprecate it instead.
To unpublish a package, you must meet the requirements of the package unpublishing rules.
https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm.html
Corrections/Updates are due so I'll add now. It was mentioned to me privately that the package author pushed a malicious update to the NPM package for faker.js which did get reversed which caused a local DOS incident and log spamming.
This said the package being revoked by NPM potentially with an account ban or suspension would be completely understandable. What's unclear is after abusing NPM, the author's GitHub account was banned.
Historically dual-use content (malicious code) has been allowed on GitHub, but not NPM as it's considered a runtime/install service. The full policy is at https://docs.github.com/en/github/site-policy/github-community-guidelines#active-malware-or-exploits. Why would they be banned from GitHub and not just NPM?
I get the impression that the GitHub account was banned after deleting the source code tree at https://github.com/Marak/faker.js although the NPM update, while I believe the policy is left unclear would make more sense from a ban context than just for deleting code.
@irlcatgirl From what I can tell, the Github ban might be as result of violating Github's TOC Acceptable Use guidelines where
You agree that you will not under any circumstances violate our Acceptable Use Policies or Community Guidelines.
and Community Guidelines include rules against causing technical harm to other users, such as
such as using GitHub as a means to deliver malicious executables or as attack infrastructure
Dual-use content is allowed under the assumptions that they are done with positive intentions in mind and is for
the posting of content that is used for research into vulnerabilities, malware, or exploits
From the parts of the story I've seen so far, @Marak's intents might not be considered quite positive or research related, and could have cause quite some technical harm to other github users
To be clear I am not on Marak's side at least not entirely. To summarize:
- I 100% agree it harms NPM users. Most corporate users will be pulling the NPM package not from the GitHub repo.
- A yank of the update, perhaps a ban from NPMJS would be appropriate
- I am not sure though that blanking the GitHub repo (the repo that is up currently is empty with a purged commit tree) caused technical harm to GitHub's users and this was an issue up to NPM to solve when he abused their service. Is a ban from GitHub itself appropriate here?
- The code was not positive or research related but also the GItHub repo remaining up wouldn't cause harm. In fact, the actual repo is up just empty. Perhaps another project then broke a rule, I don't know as GitHub doesn't post information about every individual suspension.
But I'm not here to debate their suspension. I'm here to request that GitHub Policy reflect that if you abuse NPM, your access to GitHub will also be revoked.
@irlcatgirl He didn't quite just blank the faker repo, he put an infinite loop in colors repo depended on by 19K other projects
In the United States, limitation of liability (such as the MIT license) does not apply to "harm willfully inflicted."
(I'm not an attorney, and this is not legal advice)
@irlcatgirl He didn't quite just blank the faker repo, he put an infinite loop in colors repo depended on by 19K other projects
Thank you for linking this.
Should this also be something that NPM deals with or was this abusing GitHub package repo?
I'm not too sure either, but I think it likely falls under both, seeing as the actions performed likely violates NPMJS rules on Acceptable Content and Github's Community Guidelines.
So rather than one ban causing the other, it may just have been that his actions violated the ToC of both platforms simultaneously, so each community took action individually. So he was banned from NPMJS for intentionally uploading a package containing malicious computer code on the NPM registry against NPM's ToC, and Github banned him for uploading\distributing intentionally malicious code on Github against Github's ToC.
Both Github and NPM should be in charge of maintaining their own individual communities. So actions in one community should not affect one's participation in another, but neither should punishments by one community prevent another community from taking action for violations against their ToC
Just a reminder that Github has not released a statement about why they suspended the account. It could have been an initial response protocol for suspected account compromise while they investigated. The account in question appears to have been restored.
Let's not all jump onto any particular narrative quite yet. There are some immediate concerns that need to be addressed first, and Github has a much broader view into the problem than we do.
There are plenty of reasons to be annoyed with Github. This isn't one of them. These sorts of actions by Github are exceedingly rare. I can count on one hand the number of accounts I've seen Github suspend in my ~10 years here, most of which were entirely justified (targeted harassment, calls to violence, egregious amounts of blatant hate speech, etc.)
My instinct here given that everyhing has been restored is the action was a result of an initial "freeze everything while we check things out" protocol in the event a very prominent account has been compromised. I wager that once they determined that the account's actions were performed by the account holder (regardless of malignance) access was restored.
Let's not let a sample size of 1 make us throw everything into question. Github is a corporation, yes, but they've served the OSS community well for a long while. Conversations about centralization aside, the actions here probably helped more than they hurt, despite appearances.
Marak is not a person of sound mind: https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/
He should not be allowed to work on code anymore until he gets the help he needs. He's a terrorist and an abuser, and should be at Gitmo rather than GitHub.
Marak is not a person of sound mind: https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/
He should not be allowed to work on code anymore until he gets the help he needs. He's a terrorist and an abuser, and should be at Gitmo rather than GitHub.
The background of the user is irrelevant unless they're making threats on GitHub. Does GitHub have a policy to do criminal background check before allowing you to open/maintain an account here? This would affect the ability to have anonymous accounts and implications for people using GitHub for information security projects who've had a criminal background.
It's up our local governments to conduct a criminal investigation, review the facts, and take the issue to trial if they have evidence a GitHub user has broken the law. GitHub is not the place to conduct a pseudo criminal trial.
The policies at GitHub need to be written as direct, clear, so everyone knows the rules and there are no surprises you got banned because of an unwritten rule. Which much of the community is anxious given the situation.
We don't know Microsoft's reasons for the GitHub Account Ban, perhaps something else happened that we all are unaware of. Let's not jump to conclusions but rather discuss the facts we know and talk about how policy could be written to deal with them.
Based on the community discussion I'm going to close this issue. There is too many unknown factors to know whether a policy change is truly needed. Feel free to reopen it if more information comes to light.