💾 Archived View for gemini.susa.net › attack_vector_for_foss.gmi captured on 2023-03-20 at 18:08:23. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

Attack Vector for FOSS

This first crossed my mind when I read Gordon Henderson's 'rant' about the mental effort in supporting his WiringPi library, which provides Arduino Wiring-like functions for users of the Raspberry Pi.

In short, he got increasingly pissed off by lazy, incompetent, or just plain rude people making demands of him that were completely unjustified. The final straw was someone who rudely demanded the source code for the latest release immediately, pointing out that he was obligated to under the LGPL. Now the guy was wrong - it's Gordon's code, he has the choice about how he releases it. He'd always chosen to release it as LGPL and nothing was different this time, just that the code was late being pushed.

wiringPi – deprecated... This has turned into a bit of a rant. Sorry.

It's really sad to read things like this. In particular, the code and related support was given freely and generously. Nobody is entitled to anything from Gordon, or for that matter, from anyone who produces free software. It's generosity and a gift, and should be treated as such.

Then Raymond Hill and uMatrix

The author of uMatrix and uBlock Origin, Raymond Hill, is one of the most sincere and genuine people I've encountered on the Internet. His generosity regarding uBlock Origin is a *huge* gift to the world, even though not enough people make use of his work, which provides content filters to block tracking, adverts, and all sorts of stuff that is hostile on the web.

He won't even take proper credit for his work, let alone hard cash. He credits the block-list maintainers, and suggests any donations be made to them. While this is correct to a point, it hugely undervalues his own contributions, but that just seems to be Raymond Hill.

And so, very recently, Raymond put uMatrix into read-only mode, meaning that no futher development will take place on this software. The reason seems to be frustration at the attitude of some people who use uMatrix, kind of similar in many ways to the sorts of things Gordon was suffering.

gorhill comment that declares uMatrix archived

Anyway, as it is, I've archived uMatrix's repo, I can't and won't be spending any more time on this project, and neither on all such issues.

Which makes me want to yell "Aargh! Be kind to these people. Don't take them for granted! You have no idea how valuable kindness and generosity is in a world dominated by greed and selfishness. Jeez!"

The fact that Raymond Hill has integrity *and* is not financially motivated, particularly where an industry stands to lose out on millions of dollars of potential exploitation money, makes him a difficult person to 'buy off' or otherwise persuade to 'just not do' what he does.

And here's the Attack Vector

Just like 'marketing' companies will use their networks of 'influencers', whether in-house or contracted, to shill your product or service, there's no reason why they couldn't just turn their efforts to trolling open source developers where, for example, the software being developed stands in the way of their client's profit.

At a glance, this might seem a risky strategy for any organisation to pursue. Engaging a marketing company for such nefarious purposes risks a lot of negative exposure.

On the other hand, tacit understanding is a thing. If you talk to a hundred marketing companies, asking for novel ways to tackle the scourge of their open-source competition, perhaps mentioning stuff anecdotally, it's very likely that at least one of them will be on track to arrive at trolling as an option. All that remains to do is tacit acknowldgement, simply by engaging the services of that specific agency, to pursue the goal.

It's often the most incompetent and naive users that cause the most frustration to support, and there are plenty of incompetent people willing to sell their soul in the 'gig economy'. Add rudeness and entitlement to that, and you've got the perfect wind-up mechanism to make developers think 'Fuck it. I've had enough!'.

How to avoid this from happening

I don't know. This could apply much more widely than the two examples that stick in my mind. Whether or not it's being used, it's a very exploitable weakness. Targeted harrassment has been a thing on the Internet, even without financial gain as a motivating factor. Even just idological opposition to the principles of free software would be motivation enough for some people.

When I first read about Gordon's woes, in the first instance I thought 'give this poor guy a hug'. This would likely have been of little to no benefit. My second thought was to advise him to be thicker skinned - to simply disregard this negative stuff completely. This is not easy to do, particularly if you are a fundamentally kind person. Then I thought I could offer to field his support issues, and shield him from the crap. I selfishly, but probably realistically, thought that I'd not be able to sustain this effort, particularly since I've never been a user of WiringPi.

On the other hand, I would probably make time to field uBlock Origin issues, because I use and benefit from this software on a daily basis. I'm still thinking about this.

But perhaps the mere awareness of trolling as a possible attack vector would allow free software developers to view rudeness in support issues as something that's possibly just a systematic attempt to piss them off. Then they could, more easily, and in good conscience, respond in the appropriate manner - that is, not at all. I mean, when you know someone is *trying* to annoy you, it makes you a lot more resilient to it. After all, how do you really tell the difference between a troll and a sincere, but rude, idiot?

Further Reading

flexibeast had some commentary on this

In the above link, flexibeast comments and expands on some of the ideas in this post. In particular, an example from the creator of Clojure who states:

As a user of something open source you are not thereby entitled to anything at all. You are not entitled to contribute. You are not entitled to features. You are not entitled to the attention of others. You are not entitled to having value attached to your complaints. You are not entitled to this explanation.
If you have expectations (of others) that aren't being met, those expectations are your own responsibility. You are responsible for your own needs. If you want things, make them.

You can follow the link at the bottom of flexibeast's post to read the full comment, but even just on those paragraphs above, I'm inclined to agree with the sentiment. The point is that, unless otherwise stated, there are no obligations on developers to even interact with others. Issues should be about bugs and anomalies in what currently exist, whereas they've become almost a forum for some projects.

If this was the default position, rather than the assumption being here was going to be a 'vibrant and active community' or whatever, then that would at least set expectations at a workable baseline from which to extend invitations to participate further. It would also mean that, for example, the Clojure creator wouldn't feel the need to take such a defensive stance, since there'd be no attack.

Just like if I swept the snow from outside my house, and a neighbour started demanding I do theirs too, and their cars, then I'd feel ok about ignoring them, because there is no default position where I'm obligated to do that.