A thread of “Sabotage” incidents in open source software are rekindling discussions about how projects underpinning digital platforms and networks around the world. Many of the recent incidents have been dubbed “protestware” because they involve open source developers making code changes to show support for Ukraine during the Russian invasion and ongoing attack on the country.
In some cases, open source software has been modified to display anti-war overlays or other messages of solidarity with Ukraine. In at least one case, however, a popular software package was modified to deploy a malicious data eraser on Russian and Belarusian computers. This wave of open source protests comes just a few months after an apparently unrelated incident in which an administrator sabotaged two of his widely used open source projects out of apparent frustration at feeling overworked and undercompensated.
The incidents have been relatively limited so far, but they threaten to further erode trust in the ecosystem just as the tech industry makes an effort to address other software supply chain vulnerabilities associated with open source. And while financial support, promises of automated tools and attention from the White House are welcome, the open source community needs more robust, sustainable help.
In a statement Thursday, the Open Source Initiative, which categorically denounces Russia’s war in Ukraine, spoke out against destructive protestware and pleaded with community members to find creative, alternative ways to use their position as enforcers to stand up against to oppose the war.
“The downsides of wrecking open source projects far outweigh any potential benefit, and the backlash will ultimately hurt the projects and contributors responsible,” the group wrote. “By extension, all open source is harmed. Use your power, yes, but use it wisely.”
Open source software is free for anyone to use, so the tools and programs are embedded in everything from independent projects to mainstream, proprietary consumer software. Nobody wants to take the time to write and test a component from scratch when they can just plug in and play a ready-made version. However, this means that all kinds of software depend on projects maintained by one or a handful of volunteers – or projects that are no longer maintained at all.
A long touted advantage of open source software is that it has the potential to be as secure as, or more secure than, proprietary code because it is open to independent scrutiny. The idea is that many eyes mean few bugs. In practice, however, this security has limitations, precisely because there are often not many eyes available. However, the issue of sabotage goes to the heart of the premise of open source as a decentralized, non-federated space.
“Systemically, there’s nothing in place to prevent internal sabotage incidents from becoming more frequent,” said Dan Lorenc, an open source software supply chain researcher and founder of the security company ChainGuard. “Projects build reputation over time and people who are often pseudonymous come to trust each other’s digital identities because of the work they’ve done. There is no general list of approvers, and each project has a different culture about how to become an approver,” or a developer authorized to approve and publish code changes.