Open source code libraries Color and Faker were corrupted earlier this week by the software developer who has been maintaining them. The developer’s actions brought down projects from thousands of businesses using the libraries by sabotaging software updates, triggering infinite loops of jumbled code. This, coupled with the recent Log4J security breach, which was triggered by a vulnerability in a piece of open source code, has put the spotlight on the future of open source and whether businesses, many of which heavily rely on freely available software, should exercise more caution.
Projects using the libraries, which include the popular Amazon AWS cloud development kit, saw their applications write nonsense script on their consoles, under the lines LIBERTY LIBERTY LIBERTY. Users can get around the problem by downgrading to earlier versions of the two libraries.
Colors library sabotage: pay me a ‘six-figure’ salary says developer
The perpetrator, Marak Squires, added a new “American flag” module to the Colors library on Monday. The infinite loop triggered by the code will continue to print rubbish indefinitely, in the form of non-ASCII characters, on any consoles using applications with code from Colors. A sabotaged version of “6.6.6” of Faker was also published to Github.
It has been reported that Squires updated them maliciously to sabotage the libraries as well as their corresponding projects. He has previously published statements of his own frustration in donating free labour to open source communities, which are then used by companies who can afford to pay but contribute nothing to maintaining the libraries. In November 2020, Squires wrote: “Respectfully, I am no longer going to support Fortune 500s with my free work. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it.”
Responses to the effects of Squire’s malicious updates appeared online almost instantly. Most were in opposition to the act of sabotage. Cybersecurity expert Dr Vesselin Bontchev tweeted that the act was “irresponsible”, saying: “if you have problems with businesses using your free code for free, don’t publish free code.”
Is it time to stop using open source?
This means that those using it cannot be sure that open source software is completely secure, says John Goodacre, professor of computer architectures at the University of Manchester. “Whether a developer reuses open source, or commercially sourced code in their project, there is always a risk that it can either perturb the expected behaviour of their application, as with the Colors and Faker libraries, or exposes their product to a cyber vulnerability, as with Log4j,” he says. “Some organisations can use code developed elsewhere for up to 85% of their projects.”
Despite these risks, businesses rely heavily on open source, with 89% of UK organisations that responded to OpenUK’s State of Open 2021 report saying they deploy open source software in their companies. And replacing these code libraries with a commercially developed equivalent would not necessarily improve matters, argues Quincy Larson, founder of coding non-profit organisation FreeCodeCamp. “Open source is more secure than closed source, because the code benefits from additional scrutiny,” he says. “Security issues are usually fixed quickly.”
Rather than getting irritated at the prospect of providing free labour for corporations, many open source developers are finding new ways to get payment for their endeavours. “They are seeking new ways to get compensated for their time, such as GitHub Sponsors, Patreon and a variety of blockchain projects,” he says.
The responsibility remains with companies using open source to retain control over the code by being involved in its production, explains Clipot. “If you are involved in the development, then you can also actively follow its risk development and will be able to react sooner rather than later,” he says. “You will also be given the opportunity to contribute to the success of the component and therefore, lower its operational risk generally.”
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.