I agree on all accounts. Even though I can also see how someone could do something irrational in the heat of the moment when confronted with the extreme violence brought upon the people of Ukraine. It ultimately is not the answer and there are reports of NGO's trying to help being affected. For me I'm considering finally moving my Node.js apps into (Docker) containers to shield direct acces to the host. I try to minimise layers of indirection but may have reached the threshold to go this route.

Open source should be neutral.

I understand not wanting your project used by someone upsetting the world balance, but activism in Open Source like we've seen has real collateral damage.

For those of us in InfoSec, we have to review & respond to reported incidents. When this disclosure became public, I had to review the threat, scan all my projects to see if the dependency was used, and patch/pin those dependencies so it didn't use the vulnerable version. In addition to the change itself, tickets had to be created and reports compiled to keep auditors happy.

In the grand scheme of things, the incident only took 3 hours of my time. But I'm not the only one handling InfoSec in the world. If America has ~ 500,000 tech companies, then it's very plausible that at least 100k of those have InfoSec obligations. Let's also assume an average salary of $100k for the worker. That translates to millions in dollars of spent labor, responding to the disclosure. Labor, that's having to handle an increased number of responses because cutting off Russia from the global economy shook the bees nest.

Also, what kind of impact does sabotaging inflict on your target? Is the FSB or the Russian Military really using node-ipc on critical systems? If there's definitive proof that's the case, my position may be up for negotiation, but otherwise you're just inflicting more collateral damage. There's plenty of folks in Russia and Belarus who don't subscribe to their leader's beliefs and are powerless to enact change.

If you were absolutely dead-set on doing open source activism, you'd have a better chance at inflicting damage to your true enemy by targeting more essential dependencies. Git, Linux, those type of things are likely to be far more accessible to critical systems than a npm package.

OSS should not meddle with politics or other movements (for most of it that is way off from Software Domain at the very least).

Although, the silver lining of this incidents is lots of devs can become aware on best practices about npm packages (hardlocking versions, backup registry etc) which at the very first place should be considered.

While medium / small and personal projects are more likely susceptive to this.
I am always baffled that there are large entities and companies still that get affected by this, imagine having collective team of engineers not foresee that possibility.

And to those oss owners doing this sh*t, I only have few words
You're not a cool activist, you're just a plain simple d**k

First of all, thank you for playing the devil's advocate.

However, as Hiram Johnson said: "The first casualty, when war comes, is truth.", so in absence of full knowledge of all facts how can we be sure to be justified in our actions? Also, taking action in a way that is so damaging to everyone else cannot be justified even by extreme importance to take a stance.

So by all means, write it in your license text that nobody who is in agreement with this war may use your software. Write your support for the Ukraine into a postinstall message in package.json. But don't break the trust in our ecosystem; don't break open source itself.

Ultimately, it's a question of trust. If your solution to a lack of trust in the ecosystem is curated sources, then how can you trust the curators?

So you just add layers of trust through reviewers. But how can you possibly know they're not in on the sabotage? That's what I meant: once the trust is out of the window, it doesn't suffice to open the door to someone else.

The worst of us commit package sabotage against users with a russian IP address.

I meeean... is it though?

My take on retaliation against the Russian people (as opposed to the government and oligarchs) is the following:

• The Russian population holds a significant power
• The cost of exercising this power is potentially very high to the individual
• The cost of not exercising it as an individual is very low for ukraine
• The cost of not exercising it en massee is very high for ukraine

So you can broadly categorise the Russian population into three groups

• In favour of the invasion
• Complacent in the invasion out of personal danger
• Opposing the invasion despite personal danger

It is easy to argue that the first group deserves any form of mild consequences, being scarcity due to trade restrictions or losing access to digital services due to activism.

The third group, while they may be the most sympathetic to the cause, is probably the least deserving of retaliation.

The third group, which I assume may be the largest, is the interesting one though: While it is ultimately their choice to prioritise their own safety over that of strangers in a foreign country, I don't think there shouldn't be any consequences to this inaction. They are, after all, tolerating war crimes being committed in their name almost daily. So ultimately, putting pressure on this part of the Russian population with hopes of driving them to speak out against the Russian invasion of Ukraine is not a choice we should indiscriminately label as "bad".

Package sabotaging is madness - There's no other ways to put it. And for those participating in it, they're effectively committing intellectual and professional suicide. I would never trust such a person ever again. And I am very much against Russian aggression and I have friends in Ukraine, suffering from this madness - Still, sabotaging packages is like a doctor refusing to treat patients because they're on "the wrong side of history" ...

Everything people are doing to put pressure on Putin is a good thing.

Not to disagree, but sabotaging the node ecosystem, even if you only target Russians within their country, is hardly going to affect Putin or his cronies. If anything, they can tie these actions into their propaganda against the west.

And what if that protest wants to use node-ipc? That would result in one's "valiant aid" to the Ukraine putting a stop to anti-war protest in Russia.

Yes, we need to make the Russian people see that Putin is a dictator. Antagonizing them with sabotage is not going to help that cause.

Most russians support the war, not only Putin is to blame. They dream of an empire, military exploits, and new territories. They yearn to restore at least the Soviet Union. Others simply want material gain, fame, a sense of military power, and superiority. They are resentful and embittered at losing the Cold War.

I don't mean the official media. I'm talking about opinion polls conducted by independent bloggers, just a variety of private YouTube videos, comments on social networks, and live communication.
Even if you have such an impression, 30 years have passed. This is a different country and a different people drugged by propaganda. Now they are praising Stalin and want a firm managerial hand.
I guess you don't communicate much with Russians right now and aren't well integrated into the Russian part of the internet.
I wish your optimism were true, but there's hardly 20% against what's happening. Most of the sane left the country during these 8 years of conflict and growing madness.
Many russians wear T-shirts with the letter Z, which is a symbol of the new fascism and approval of what is happening. They stick them on their cars, post them on social media accounts, etc.
youtube.com/watch?v=C_39n3AUQv0

Almost 3/4 of the population of Russia support the war with Ukraine, and since the end of February there have been more such people.

youtube.com/watch?v=zRrtfeW8ONM
youtu.be/CRoJljTIzqA?t=133
youtu.be/gDvuxScUdVw?t=10
youtu.be/zXIWjOc2du8?t=12

Oh boy, I ended up talking more about this than I thought. So let's start off with this: I want to thank Alex Lohr for starting this conversation. As a software guy with an engineering background, I often find the emphasis on ethics in software rather lacking. Almost like "follow these rules and you'll be ethically untouchable" and then that's it, you're excused. So I really appreciate any discussion about ethics in the space. Moving on...

Who's this hurt?

I don't think many of these actions are actually hurting Russian people who can't afford it, if I were a Russian I would be concerned about food, medicine, and communication devices; not my self hosted server. Many large Russian companies may be slightly hurt by these actions, but ultimately I think much of the cost is spread around the Russian economy in general. I'm not an economist so I won't claim to know how much this economic damage will trickle down to uninvolved Russian citizens, but that ship has already sailed with western countries leading the charge.

Should software be neutral?

I don't believe the argument of neutrality here. As others have pointed out, inaction is sometimes an action in itself. And while I will admit we don't have perfect information, and the moon may indeed be made of green cheese, we have to work with what we've got and try our best. As Hannah Arendt, a holocaust survivor and philosopher, said "The sad truth is that most evil is done by people who never make up their minds to be good or evil." While Arendt has received criticism for underplaying the extent to which Nazis actively participated in evil, I still think this thought holds significance on an individual level.

What about package sabotage?

I think package sabotaging is a bad choice regardless of the above. I think it shows a level of dishonesty and lack of commitment to promises. When you publish a package as open source you get to set the rules, or license. To break the expectations of those rules later is dishonest. I think it's important for open source devs to consider if they are truly okay with even the worst people using their package. If you aren't okay with literally anyone using your package, you should consider using a different license than BSD, MIT, GPL, etcetera. While many of the "ethical" licenses lack legal teeth, they would at least set forward the expectation that the author may try to curb use of package if they find it immoral.

Closing thoughts

Are there examples where the gravity of what you're protesting justifies package sabotage? Well, probably. I have yet to see anything that would justify it for me (and doubt I ever will), but I'm also not in a literal war zone. Let's remember that hard problems make bad rules, and what's most important is to take time to think about our decisions and whether or not they align with our values. Circling back to Hannah Arendt, one of her conclusions was that evil often comes not from malice, but from a lack of thinking. Not taking time alone with yourself to think things over, and instead getting swept up by the rapids of society, often leads to immoral action (or inaction). Again this is not a concept that was met uncriticized, but I do think it holds personal merit even if it's ability to explain evil doings is controversial at best.
So would I sabotage a package? Almost certainly not. Would I think poorly of someone who has? Probably not, if anything I think it shows that they've taken the time to examine their values and made a choice that felt moral to them. That's the most I can really ask of anyone, even if I disagree with the outcome they decided to go for.

Food for thought:

nukes + EMP = you don't have to worry about software anymore.