Developer nukes his extensively used JS libraries to protest corporate use without compensation

[Darth Shiv]

He is making the open source community look bad. He is totally in his right to stop supporting his project if he is not happy with the way things are going, but sabotaging it only teaches that open source is not trustworthy, not that they need compensation. This following Log4j really makes open source look bad. I don't think GitHub should punish the guy, but they are probably just trying to protect themselves from getting sued. It would be a bogus lawsuit to blame GitHub, but things like that happen and sometimes the court makes the wrong decision. It's not like there are technology courts that have a clue.

Maybe his intention was exactly to teach them not to trust open source in corporate usage?

Everyone has known for years that adhoc OSS development is NOT best practices security audited automatically. You actually need structure, qualified devs who actually target auditing this stuff. It's a no brainer. WHY do you expect log4j to be security audited if you didn't freaking set something up to audit it?

This sounds like people don't understand what the tool is and what purpose it serves. If you want to use random crap from the internet, you take personal responsibility for the consequences. OSS without support is random crap on the internet.

 

[Raytrace3D]

But how many years will that take? How expensive will that be? And even if the person won the case, will the payout even be worth it?

Suffice it to say, I agree with the reason why the person did what they did just not what they did. We've seen time and time again that companies just take from the open source community and give nothing back. Companies treat open source developers as free third-party contractors and that's wrong.

I definitely agree with you and also understand where the developer is coming from. The developer always gets screwed, that's for sure.

As a senior developer for over 25 years my self, I personally do not contribute to any Open Source projects for the pure fact that I do not work for free. I understand the risks in putting work out there for anyone to take as there will always be someone not following the spirit of EULA. Having worked for a number of really cheap corporations (boggles my mind how cheap, despite making billions per quarter, I kid you not. lol) who will do just about anything to get software for free. Sadly, there are plenty of companies out there looking for great "free" solutions, even if it means ultimately taking from an honest, well meaning developer.

 

[Dr Roboto]

Maybe his intention was exactly to teach them not to trust open source in corporate usage?

Everyone has known for years that adhoc OSS development is NOT best practices security audited automatically. You actually need structure, qualified devs who actually target auditing this stuff. It's a no brainer. WHY do you expect log4j to be security audited if you didn't freaking set something up to audit it?

This sounds like people don't understand what the tool is and what purpose it serves. If you want to use random crap from the internet, you take personal responsibility for the consequences. OSS without support is random crap on the internet.

THIS is the lesson that everyone should learn. Companies (especially DoD contractors) should not "trust" free software on the internet. I am not sympathetic to for-profit companies getting upset that the free software they downloaded from GitHub broke their system. Have you every heard the saying "you get what you paid for"?

The developer and Github are being childish IMO, but the lesson to be learned is real.

 

[Danny101]

I get his sentiment and disposition, but he went about it in the wrong way. Bait and switch tactics is not a way to solve a problem and only serves to sow distrust. Likely ruined his reputation, because who would hire him now knowing his personal ethics allows him to sabotage his own work to make a point? Make your argument and if in a position to assess a penalty then make it known.

 

[Danny101]

But how many years will that take? How expensive will that be? And even if the person won the case, will the payout even be worth it?

Suffice it to say, I agree with the reason why the person did what they did just not what they did. We've seen time and time again that companies just take from the open source community and give nothing back. Companies treat open source developers as free third-party contractors and that's wrong.

You don't have to hire lawyers. Advisable? Sure, but not a requirement. You just need to file your lawsuit(s) in the jurisdictions that would accept them, even it's a mirror of the same lawsuit in multiple jurisdictions. The court system will help you, as pro se(for self) and has to. It was originally designed to. If you make a mistake, it will kick it back and request you to fix it. Just file in time. https://pacer.uscourts.gov/ Every filing, initiates and responses have time limits. If their lawyer(s), who's likely working multiple cases for their own financial reasons, who wastes time because they are milking their clients can't file responses oftentimes in time, and you can win even on a technicality, despite the merits or lack of, of your case. You, having all the time in the world, can game the filing system to your advantage. Lawfare at it's finest. To understand the court system , you must understand it's Latin based terms it's based on..