Lmao
Hate the government yadda yah
Sticking a knife in the heart of open source to own the Ruskies. The whole thing stands on trust. You open the door to sabotage like that and every company has to start wondering if they can survive in such an invironment.
Fuckin libs, man.
Sticking a knife in the heart of open source to own the Ruskies. The whole thing stands on trust.
Tbh I'm pleasantly surprised open source lasted this long before major sabotage.
Yeah, before now libs just ran interference for fascists. Now it's masks off.
i'm in russia and a lot of projects at my job use Vue which depends on this package :sweat:
open source is dead
thanks. There was some panic at first with people taking money out of banks, people stocking up on food, cops being extra agro etc. but it's more or less okay right now. Just hoping for the war to end ASAP
Man, that suck. politic meddle with open source development, truly disaster.
in the coming years when open source dies a slow death
this event will be the reason
Every aspect of Western society is racing to wall themselves off from Eurasia and just expects the Global South to follow their lead because We're Better and We Say So. You love to see it tbh.
Already another guy sabotaged an npm package by spamming the console with a bunch of nonsense
How long until major distro packages are going to include malware that activates based on certain parameters? (Ah yes he has a Russian language layout, activate keylogger!)
Wtf is going on?
(Good) Distributions put their packages though several layers of testing before they arrive on an end user's machine. A Debian package for instance must be promoted from unstable to testing, and then from testing to stable. This is done by the distro maintainers, not the upstream developers.
NPM just takes whatever it finds on Github and builds it into your project apparently.
Debian's packages are prehistoric though. How is this different from rolling release distros?
Rolling release distro packages are not thoroughly tested and usually offload some of that testing work to the end user. That's why rolling release distro users are expected to be savvy enough to work their way around a command line to at least downgrade packages if needed.
rolling release systems do test their packages before they release but its usually just that package in particular. They don't always test how packages that depend on it will work. So if library A updates from version 1.1 to version 1.2 application B which depends on library A might start having bugs if it wasn't developed against libA 1.2.
That said, they still will do cross compiling so if libA updates to 2.0 and appB no long compiles anymore they'll usually hold off releasing libA2.0 until all core apps that depend on it are upgraded, as with major libraries like GLIBC. Or release libA1.0 and lib2.0 separately.
For community or user submitted stuff its wild west though.
Debian does have a glacial release cycle, but it is not a requirement for releases to be so far apart. Fedora follows a similar model but cuts releases every 9 months, for instance. Ubuntu falls somewhere in the middle and cuts releases every year or two.
Rolling release distros like Arch, Gentoo, Fedora Rawhide, etc. abandon the idea of having discrete release versions but they still track the versions and stability of individual packages. They still follow a similar trajectory from unstable to testing to stable. In Gentoo this takes the form of non-keyworded version 9999 packages (straight from git HEAD, masked by default), ~arch keyworded packages (tagged releases with version numbers, but which still require testing, masked by default), and ordinary arch keyworded packages that can be installed without flipping any switches. ArchLinux maintains separate repositories for stable and testing packages as well (though I'm not as familiar with their workflow).
The main point though, is that all these packages are still hosted on the distribution's infrastructure (or in the case of Gentoo, the upstream source code must match a cryptographic hash which is hosted on Gentoo's infrastructure). There is one organization (the distributor) which is responsible for "certifying" packages as stable, and the contents of those packages cannot be changed arbitrarily by the tens of thousands of upstream sources. No distribution could possibly function if that were the case.
Rolling release distributions still only install stable packages by default. You still need to go out of your way and explicitly tell it to install a testing package or the completely untested code that got committed five minutes ago. Stable packages are still not allowed to depend on testing/unstable packages. The main difference is that packages can have new releases tagged, and those releases can have their status upgraded from testing to stable at any time, rather than once every 9 months/years. Every distribution is different, but in Gentoo (and any sane distribution), unmaintained packages get removed, rather than having updates promoted blindly. If no one is willing to sign off on it,
there's probably a reasonyou gotta figure out how to do it yourself.Since collection of installed package versions changes continuously, rolling release distributions don't get the same kind of holistic release testing that something like FreeBSD or Debian or Fedora does, but the packages do receive testing as individual units.
God that's so annoying. Torpedoing an entire community of collaboration to own Putin
Imperialists showing their loyalty, same deal as McDonald's and Ford pulling out of Russia, despite that meaning a loss of profit. Part of the deal of getting the Empire's loot is that when the Empire says it needs jumpers, you show 'em how high you can go before they even ask.
same deal as McDonald’s and Ford pulling out of Russia, despite that meaning a loss of profit
Only because they were told to do so, I'm sure there's probably some law if you're an American company (aside from other, non-legal coercion). McDonalds, ikea and all the other companies that are solidified in Russia will gladly return, it's a huge market for them.
McDonalds actually said they'll keep paying wages in Russia (while the stores are closed). They have 62k employees in Russia...
Critical support for McDonald's increasing the paid time off they offer their employees.
People, including people on Hexbear, have a very difficult time distinguishing between States and the humans who live in those states.
Supposedly this stunt got data of some American NGO documenting human rights offences in Russia nuked.
We are an American NGO based in Washington, D.C. that monitors human rights infringements by authoritarian regimes in Belarus, Russia and other post-Soviet states. Since our start in 2014, we have been in contact with over 2,500 whistleblowers that provided us with detailed reports on various kinds of abuse happening there.
LOL. The move is pure dogshit, but I'm not shedding a tear for these spooks.
NGO dog shite, fuck them. Z!!!!!! Please nuke every document and data from other countries too.
If some rando in China did this exact thing to protest the US role in the ongoing Yemeni genocide, the headline would read "Chinese Nationals commit cyber-attack".
NPM is such a shit show. Perfect example of why a package manager is not a substitute for a software distribution time and time again.
this motherfucking piece of shit got malware into unity for an update holy shit
"Oh wow some american broke my deployment and wrote 'peace' all over my computer files I'm now so thankful and enlightened and not propagandised, I now oppose the Ukraine war, western democracy is great, go America, keep doing this!" -The response people somehow imagine happens to this shit???
a guy who maintains a widely used javascript library quietly updated it to delete all your files if it detects that your IP address is in Russia or Belarus to epically dab on Putler
I'm not going to update any software or module to a version less than a month old now.
I can totally see some dev deciding all computer in China is a valid target.
Fuck this shit. Also, deleting Notepad++. The dev is had a history of adding "Save Uyghur", "Free Tibet" and "Stand with Hong Kong" to be automatically typed out with each update, and updates are named with stuff like "Tiananmen Square Massacre".
I didn't really care about that coz lib like being libs. Now I see it's only one step away from doing something like this.
I use VSCode far more often anyway. Only thing I would be missing is the "search word in multiple files" function. Wonder if there's a plugin for VSCode for that.
