Recently we talked about the actions that were taken by GitHub on Marak Squires account, the main author of Faker.js who corrupted and removed the library in early January, prompting GitHub to take some action that divided the community.
But now the project is back on the web as a community project, as a GitHub repository for the new faker.js package has been created and a team of eight supervisors has been assembled to manage the open source project going forward.
In addition, a public Twitter account has also been created to communicate with the community of JavaScript libraries. In the meantime, the Squires profile that had apparently been suspended by GitHub can be accessed again.
We often hear that it is difficult to raise funds for the development of open source projects to the point that it is said that “open source is a destination that does not generate money”.
The developer of the open source faker.js library recently did everything possible to destroy faker.js that he had developed due to the difficulty of monetization. In one of the developer's GitHub posts from November 2020, He stated that he no longer wants to do free work. “With all due respect, I will no longer be supporting the Fortune 500 (and other smaller companies) with my free work,” he said.
"Take this as an opportunity to send me a six-figure annual contract or fork the project and have someone else work on it." He probably did not get a favorable response to his request, which led him in early January to corrupt two of the libraries he designed himself, facker.js and "colors.js", causing this to harm millions of projects that depend on it. that. Squires submitted a commit to colors.js that adds a new American flag module, as well as implementing version 6.6.6 of faker.js, which triggers the same destructive turn of events.
Sabotaged versions cause apps to incessantly produce letters and symbols strangers, starting with three lines of text that read "LIBERTY LIBERTY LIBERTY." Users obviously understood that the libraries had just been compromised, but they were far from imagining that the person behind the compromise was Squires himself.
To get an idea of the extent of the damage, the colors.js library has had over 20 million weekly downloads on npm alone and it is said that there are almost 19,000 projects that depend on it.
For its part, faker.js had more than 2,8 million weekly downloads on npm and over 2.500 users. In response to Squires' gesture, faker.js has become a community project.
Facker.js, which only existed on GitHub until it was removed by Squires earlier this month, now has a website that says development of the library will now be handled by a new team of eight people. On the website there is also a reference to the removal by Squires. According to the new team, "Squires has played a trick on the community."
“Project Faker was managed by Marak Squires, a Node enthusiast and professional who got angry and acted maliciously on Jan 4, 2022. The package was removed and the project was abandoned. We have now transformed Faker into a community-controlled project, currently managed by eight engineers from a variety of backgrounds and companies,” says the new faker.js website. Squires did not comment on those statements on Twitter. Announced that it fixed the Zaglo bug in the colors.js JavaScript library, but failed to load it in the npm package manager.
Since faker.js removal in early January 2022, the community and other interested programmers have been actively discussing the issue. Some users, on the one hand, show understanding for Squires' action to remove faker.js, but continue to express their discontent with this action.
In fact, despite the havoc wrought, the symbol of the humble open source developer who opposes the big, rich companies that profit from it resonated enormously in discussions in specialized forums. Furthermore, GitHub's role in this matter is also in question.
Some take issue with the fact that GitHub locked Squires' account.
“There is one thing that makes me cry and laugh. Where was the quality guarantee? Do you automatically update packages and run regression tests before releasing a new version of your software? It's embarrassing," he added. Several people felt that the suspension of Squires' account was unreasonable as it was his own code.
GitHub later decided to restore Squires' account, which now appears to be accessible. Regardless, Squires' behavior raised the issue of projects "over-reliance" on third-party libraries again.
Source: https://fakerjs.dev/
What I still don't understand is why they haven't created a blockchain-based "github" whose members help fund projects every time a project's version is quality-verified. Where the prestige of collaborators (active members) who check a project depends on the level of detectable bugs in a project, making them earn more or less from the crypto, for example the sabotaged project where the code has been checked not does what it should according to the function of the project would be very serious, a member who downloads the project and then marks that he has verified it without actually having done so, will lower his prestige and consequently his future earnings as a verifier will go down to the extent that his peers go reporting. It is what humbly occurs to me.
Open source/free software programs were created to satisfy, in the first place, a developer's need, and due to the scope of the code, it ends up benefiting everyone.
The same developer is the one who takes care that his own software works in the most basic for what it was created for, and as time goes by he adds/improves the parts that are necessary for the software to become safe and so on. prevent misuse of it or an unexpected situation in the operating system from causing a malfunction.
All that is the reason why there was no entity to verify the code, that code worked, and those who used it instantly profited, they trusted the developer because they know that by nature it is the developer who most wants their software work well.
The developer got to a point where he felt it wasn't fair for them to make a profit and not share it with him, and he let them know.
Companies that decided to finance an entity to verify code would be exposed, firstly because they would be showing that they made a profit on that software, and secondly because they would be showing that they were never willing to pay the main developers, since parts of those profits would go to other entities, ultimately what they say is: what is yours is mine, what is mine is mine, and what belongs to everyone is mine.