Open source ‘protestware’ harms Open Source

This week marks one month since the start of Putin’s war against Ukraine. We stated the OSI position at that time—the OSI condemns the attack on Ukraine by the Russian army at the direction of Vladimir Putin—but there is a new development that directly impacts the open source community, and it warrants a new commentary.

The new development is that angry maintainers have started adding code to a small number of open source repositories to protest against the war. When deployed, this ‘protestware’ expresses the maintainer’s opposition to the Russian government’s invasion of Ukraine. Most protestware simply displays anti-war or pro-Ukrainian messages when run. This is a non-violent, creative form of protest that can be effective.

But, in at least one case—the peacenotwar module in the node-ipc package—an update sabotages npm developers with code intended to wipe data stored in Russia and Belarus. In a March 16 blog post on the malicious code, Liran Tal at Snyk said, “This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms.”

The “weaponization of open source” as Gerald Benischke calls it in his March 16 blog post is indiscriminate, and the collateral damage it causes damages the work of developers and operators solely because they have a Russia-assigned IP address. It harms peacemakers as much as the warmongers—even ethical hackers using a VPN to work against the invasion might become collateral damage.

Understandably, this has caused outrage. We share that outrage. Protest is an important element of free speech that should be protected. Openness and inclusivity are cornerstones of the culture of open source, and the tools of open source communities are designed for global access and participation. Collectively, the very culture and tooling of open source—issue tracking, messaging systems, repositories—offer a unique signaling channel that may route around censorship imposed by tyrants to hold their power.

Instead of malware, a better approach to free expression would be to use messages in commit logs to send anti-propaganda messages and to issue trackers to share accurate news inside Russia of what is really happening in Ukraine at the hands of the Russian military, to cite two obvious possibilities. There are so many outlets for open source communities to be creative without harming everyone who happens to load the update.

We encourage community members to use both the freedoms and tools of open source innovatively and wisely to inform Russian citizens about the reality of the harm imposed on Ukrainian citizens and to support humanitarian and relief efforts in and supportive of Ukraine.

Longer term, it’s likely these weaponizations are like spitting into the wind: The downsides of vandalizing open source projects far outweigh any possible benefit, and the blowback will ultimately damage the projects and contributors responsible. By extension, all of open source is harmed. Use your power, yes—but use it wisely.