Disclaimer:<\/strong> The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE\u2019s position nor that of the Computer Society nor its Leadership.<\/p>\n<\/div>\n As part of this post, I\u2019m going to look at:<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n Want More Tech News? Subscribe to ComputingEdge Newsletter Today!<\/strong><\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n MongoDB is a company and in order to comply with sanctions, they have decided to cut off Russian customers. I think there\u2019s a bit of inconsistency in the tech sector on whether a SaaS offering and paying a subscription is tantamount to a new sale, but I think that is in the spirit of the sanctions \u2013 making it difficult for Russian companies to operate. Mongo is a commercial entity and as such can choose who to sell its wares. I don\u2019t think there are any restrictions on running an instance of Mongo in your own kit.<\/p>\n While I agree with this, it does pose an interesting question. What would happen to your organization if a service provider disappeared?<\/p>\n Note, I do not think that this means that we should all rush to build our own data centers, writing our own databases, and running all our own services. The simplification and optimization of using Software as a Service should not easily be dismissed.<\/p>\n However, it does not hurt to be prudent and do a threat assessment of what would happen if the service disappears. Again, I do not think that this should be taken as an incentive to run everything in multi-cloud, as I happen to think the overall increase in complexity would actually reduce reliability.<\/p>\n \u00a0<\/p>\n A bit more sinister is this story \u2013 under the moniker \u201cprotestware,\u201d the Now, supply chain attacks against node modules are nothing new. Not many months go by without a story about a hijacked node module installing backdoors or cryptominers. I think it is safe to say everyone agrees that these attacks are malicious and the actions are those of criminals.<\/p>\n With this idea of \u201cprotestware,\u201d it becomes morally a little bit ambiguous. I think this feels a little bit of a problem of recent times where because of Brexit or Trump, political discourse has turned to be very divisive and tribal.<\/p>\n You are either with us or against us.<\/p>\n In my mind, the term \u201cprotestware\u201d is attempting to legitimize the malicious actions and very much turns open source libraries into weapons to be aimed and fired at your opponent. I do think that these actions are to be condemned \u2013 especially as the \u201cdelete files based on geofencing IP addresses\u201d has got the potential of causing collateral damage.<\/p>\n I don\u2019t know how much truth there is in the issue raised on the Anecdotal evidence of misidentification of IP addresses makes this a very indiscriminate weapon. And I have to ponder, if mass-bombing of civilian targets by Russia\u2019s armed forces is to be abhorred, blanket wiping files in the Russia IP range is not exactly a targeted action.<\/p>\n \u00a0<\/p>\n Last but not least, I\u2019d like to look at a story that community terraform modules for AWS have been updated to include political statements.<\/p>\n First, there was a change to the license \u201cAdditional terms of use for users from Russia and Belarus.\u201d<\/p>\n By using the code provided in this repository you agree with the following:<\/p>\n In addition, this acceptance was included in the code:<\/p>\n \u00a0<\/p>\n Setting the variable to Now, I think this is problematic on two fronts.<\/p>\n \u00a0<\/p>\n The definition of an Open Source License is quite clear:<\/p>\n 5. No Discrimination Against Persons or Groups The license must not discriminate against any person or group of persons.<\/p>\n<\/blockquote>\n I don\u2019t really want to have to read through each of my dependencies and transitive dependencies licenses to determine whether I am agreeing to discriminatory terms by using a library.<\/p>\n Where does it end?<\/p>\n It is quite undesirable to politicize and weaponize open source that way. Depending on what kind of organization you work with, it might be completely unacceptable and outside the permission for an engineer to agree to these kinds of contracts.<\/p>\n I can\u2019t imagine that a government agency would want to discover that the software they\u2019re using is mandating some kind of political stance.<\/p>\n \u00a0<\/p>\n This article argues that it is not practical to encode morality into licenses, as it would either be ignored or forked anyway.<\/p>\n The JSON license, \u201cThe Software shall be used for Good, not Evil,\u201d is unenforceable, and the licenses are designed with clause 6 in mind, \u201cNo Discrimination Against Fields of Endeavor,\u201d in order to avoid license traps from downstream dependencies.<\/p>\n In my opinion, the result of the The author of the change discussed this on Hacker News and it has since changed the name of this AWS terraform to be \u201cAdditional Information\u201d rather than \u201cAdditional Terms and Conditions,\u201d but the In my opinion that should raise eyebrows, if not red flags, about the \u201csafety\u201d of these components. It looks like these changes were made straight into the master branch without pull requests \u2013 that does suggest a lack of review process. These actions have negatively impacted the trust in the maintainers. And that makes me wonder whether using those components is safe.<\/p>\n Furthermore, from a licensing perspective, some organizations have guidelines of what licenses are permitted, so changing a license could be quite risky. In addition, if it can be argued that the code breaks the spirit of the license, would it still be safe to use it? Some war stories about frantically removing \u201cinfectious\u201d GPL\u2019d libraries make me think the lawyers might have a field day.<\/p>\n \u00a0<\/p>\n Now, if trust is gone, there are only the following options:<\/p>\n The problem with dependencies in modern software engineering is that only the biggest organizations have the resources to write all their own libraries (e.g. Google, Goldman Sachs, etc).<\/p>\n Most organizations simply do not have the capacity to write everything from scratch \u2013 and for good reason. The whole point of open source is collaboration and re-use, there has to be some trust.<\/p>\n Dependencies and supply chain attacks are a big thing. And yes, some people advocate dependency scanning and version pinning, but I don\u2019t think it is possible to use open source libraries at scale without a certain amount of trust.<\/p>\n I\u2019m working in an organization where there are hundreds of teams and thousands of microservices. I\u2019m trying to think about how we can assess the risk of thousands of dependencies and millions of lines of code.<\/p>\n Without trust, the only way that\u2019s possible is to fork all libraries, prevent open source, and generally kill off any agility and velocity.<\/p>\n My problem is that this weaponization is killing off trust.<\/p>\n I think the temptation of using open source projects as weapons against Russia should be resisted because it sets a dangerous precedent and may ultimately set back the open source movement and push organizations back into seeking refuge in commercial software with all its opaqueness and obscurity.<\/p>\n It\u2019s not about sitting on the fence or taking sides in a war. It\u2019s about what open source has achieved over the last 30 years and I think that\u2019s now at risk of becoming collateral damage.<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n Do you have another perspective on the topic shared in this article? Let us know by filling out our guest blog form and share a few points you\u2019d like to address. Complete the form here.<\/em><\/p>\n<\/div><\/div>\n![\"Picture](\"https:\/\/ieeecs-media.computer.org\/wp-media\/2022\/03\/30222908\/on-the-weaponization-of-open-source.jpg\")
First of all, I need to preface this article with how much I abhor the current conflict in Ukraine and I wholeheartedly support the sanctions. However, I think the conflict has spilled over into areas of software development that have got some unintended consequences attached.<\/p>\n\n
\n
\nMongoDB Cutting Off Russian Customers<\/h2>\n
\nNode Library Deleting All Files on Russian IPs<\/h2>\n
\npeacenotwar<\/code> dependency was injected into dependencies that affected Vue.js CLI (and Unity by some reports). peacenotwar<\/code> checks the IP address of the computer it is running on, and if it is deemed to be inside Russia, deletes all files.<\/p>\npeacenotwar<\/code> repository that an American NGO lost 30,000 files documenting Russian war crimes \u2013 but it should be remembered that geo-location is not always right.<\/p>\nPutin Khuylo<\/h2>\n
\n\n
\n\n
\n \n 1\n<\/span>2\n<\/span>3\n<\/span>4\n<\/span>5\n<\/span><\/code><\/pre>\n<\/td>\n\n variable<\/span> \"putin_khuylo\"<\/span> {\n description<\/span> = \"Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https:\/\/en.wikipedia.org\/wiki\/Putin_khuylo!\"<\/span>\n type<\/span> = bool\n default<\/span> = true<\/span>\n}\n<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nfalse<\/code> means the terraform module will not work.<\/p>\n1. I don\u2019t think this can be classed as open source anymore.<\/h3>\n
\n
\n
2. I don\u2019t think this can be enforced anyway<\/h3>\n
putin_khuylo<\/code> change is that this terraform AWS module can no longer fulfill either of those clauses and therefore can no longer be classed as open source.<\/p>\nputin_khuylo<\/code> code change remains in the module.<\/p>\nWhat to Do?<\/h2>\n
\n\n
About Gerald Benischke<\/h2>\n
\n![\"Headshot](\"https:\/\/ieeecs-media.computer.org\/wp-media\/2022\/03\/30224648\/Gerald-Benischke.jpg\")
Gerald Benischke is a UK-based software engineering consultant, and over the last 20 years has worked in the public, financial, and telecom sectors with clients including Barclays, HMRC, and MBNA. His primary interests include middle-tier services, databases, security, automation, and functional programming.<\/p>\n