#3 - What happened to 'color.js' and 'faker.js', Apple Private Relay and changes in Signal
What happened to ‘color.js’ and ‘faker.js’?
A scorching topic in software development communities is compensating programmers working in OSS projects. With the avalanche of money coming from Venture Capital pumping the valuation of startups and scaleups, it’s unfair (to say the least) to build them on top of the work of hobbyists that don’t get a dime. It is even more outrageous when most of the technologies we use daily embed hundreds of libraries licensed by their developers for nothing. The XKCD joke that illustrates the newsletter is a shocking truth.
Last week we saw how a developer sabotaged his work deleting the faker.js
repository and implemented on purpose an endless loop in the color.js
library. They are very popular libraries, so hundreds of projects were affected immediately. Modern software works this way: the release of a new version automatically spreads to multiple projects in a matter of hours, thanks to the magic of Continuous Delivery. So suddenly, a wave of chaos and uncertainty hit the developer communities during the weekend. What happened?
The developer is Marak Squires. He complained in the past about the problems monetizing his open-source libraries. Blaming evil corporations and greedy startups is money in the pocket if you want to enrage an audience in the social networks. But the truth is sad: he has a mental disorder.
Ten years ago, the maintainers of Node.js had problems when he decided to delete the repository of code of hook.io without prior notice. Then he was kicked out because of improper behavior. But things got weird recently when the NYPD arrested him accused of making bombs burning down his house. Things did not improve after some professional disappointments, and everything exploded last weekend.
There are different ways to minimize this kind of attack in the software development supply chain. Still, the weakest element of our industry is people: a guy from Queens can take down the whole modern infrastructure if he has a bad day.
Apple Private Relay vs. Telecoms
Apple is rolling out a new service (in beta) for iCloud+ only users called Private Relay. It’s a mix of a more classic Anonymous VPN solution plus Tor, combined with some exclusive features to allow Apple-only devices to connect (and identify without any doubt the user). Apple claims they want to protect the privacy of their customers from the grabbing hands of voracious data gatherers that by an incredible coincidence are Apple competitors.
In a plot twist, the Telecoms of the world, especially the Europeans, are raging because it will be challenging to guarantee the quality of service if they don’t have complete control of the network stack. The Telecom lobby in Brussels is playing their cards and wants the EU regulator to ban the service.
But is Apple Private Relay good or bad for the users? I don’t trust Telecoms or Apple. They want to grab our data and monetize it. The size of the infrastructure and deployment of Private Relay is scary: it will support billions of devices. The roadmap of this service looks long-term and is probably connected to upcoming plans following the Apple culture: eliminate the middle man.
More stuff
The messaging app Signal announced that they would appoint a new CEO. But it seems they are working on some new stuff like Instagram-like Stories? Or crypto payments.
Some Open source project maintainers complain that crypto bros sell NFTs of some cornerstone commits of their projects. They want to disallow it.
LastPass is killing their reputation. Again.
The music snippet
Mental health is a serious issue. Please look for help and support if you need it.