Witch hunt

I’ve only been part of the FOSS community for a couple of years. But even in that short time I’ve seen a couple of witch hunts, and to be honest, they leave a bad taste in my mouth.

You might know what I’m talking about — someone releases a small piece of software to the community, maybe as a script or an installer program, but doesn’t give complete access to the full code.

Which is their prerogative. No one is beholden to release every line of code, every speck of every last text file. You’re free to code your own software and distribute it only as a binary, provided of course you’re not stepping on any license requirement in doing so.

Invariably however, some FOSS zealot takes immediate offense, and starts up the witch hunt. Suddenly every dependency or script command has an ulterior motive, and there’s a demon behind every door. Somebody cries wolf (“malicious” seems to be the word of choice) and now everybody is worried that they’ve poisoned their otherwise virginal system.

Case in point. Let’s review: An install and backup script, offered as a time-saver and convenience is suddenly an evil manifestation of The Dark Side, a spy, a poltergeist, a thokolosi with a mission to corrupt and destroy. Potentially, of course — it even says so much in the title.

In fact, nothing is ever proven, if you read the original thread offering here. Nobody ever picks apart the program and proves, beyond a reasonable doubt, that it was spying or prying or a minion of Redmond, working in disguise.

But by then the damage is done. There’s no point in continuing to offer something like that, and I can hardly blame the OPer for withdrawing his/her time-saver script when the community response is tantamount to crucifixion. To hell with that. Why bother?

But on the other hand, why bother trying to infect the Linux community with malware at all? You’d be stepping into a lion’s den just by trying. Ninety percent of FOSS users are far too savvy to fall for a trick that subverted their privacy or rights. And the other 10 percent have guardian angel geeks that make sure they don’t fall for that either.

No, there’s no point in trying to dupe the FOSS community into installing malware or spyware. You’d do much better to set up a simple Web site that stole credit card numbers from stupid Windows users. So accusing (not proving, either — just accusing) a simple backup script of kicking Richard Stallman in the shins is rather … petty.

And really, if the FOSS zealots in the Ubuntu community want to be purists, they should start by uninstalling the proprietary drivers for their video cards, or their network cards. You heard me. I double-dog dare you to yank your Broadcom wireless firmware because I know you won’t do it to save your life. God forbid you should live without Compiz, but death to anyone who doesn’t let you peek at their 16Kb bash script.

So why berate a community member over something as innocuous as a personal backup script, when you have the better part of the Nvidia corporation jacked directly into your kernel, looking for new ways to addict you to their product line? Who’s the demon now — the community member, trying to simplify a few menial tasks with an installation script, or a greedmonger international company with no soul and no moral obligation to do the right thing? I don’t know about you, but better the devil I know (through a few forum posts) than the devil I don’t know (except by its price tag).

So to review: Just because it’s closed source doesn’t mean it’s trying to steal your credit card number. Just because the author isn’t quite ready to go public with an invention doesn’t mean it’s a keylogger looking for your e-mail password. Stop trying to hang an albatross around the neck of a budding software developer by demanding s/he meet your personal criteria for freedom. Save your campaign for the genuine and legitimate dangers.

And before you cast that first stone, make sure your system is pure, clean and hand-coded from scratch. ‘Cause if you’re hacking away at another community member from the comfort and safety of the nvidia-glx package, then you’re not a zealot. You’re a hypocrite.


16 thoughts on “Witch hunt

  1. Justin

    Finally, a post I disagree with you on lol. If you code something, you SHOULD allow access to all the code. You don’t have to, its your prerogative, but we are built upon sharing. His script could do something bad, or, it could have a spot that I could improve. Let me see the code. Once again, you don’t have to, but you should, and if people are angry when you don’t, they have good reason. I highly doubt the guy was trying to do something harmful, its just the point. We aren’t a huge blood sucking corporation, we are people who like to solve problems with programming, allow me to see how you solved the problem, it might help me solve mine next time. This same guy probably learned to code by searching through other peoples codes; share and share alike. Sorry for the rant, I’m a zealot 🙂

  2. Justin

    edit: and a hypocrite, damn nvidia-beta driver wont compile on my machine, and the stable driver doesnt support 9600’s. See, if they opened their code, we could solve this 🙂

  3. linuxcrayon

    I agree wholeheartedly. If you code something and don’t want to share the source, don’t share it. There have been plenty of times when I have wished I knew of a way to write Python and not have source code come with it automatically. I’m sure there’s a way…I just don’t know of it. Why? Because as a fledgling, unknown coder that no one cares about, it would be too easy to release something on my blog with source and then have someone else claim it as their own.

    This is especially true of younger teenagers who want to look good.

    That said, I would never actually release a closed-source application (unless it was for my dayjob). Despite the fact that I’d like to have a little more IP protection with closed-source, I see far too many benefits to the OSS movement.

  4. nugnuts

    I can appreciate the disdain demonstrated for initiators of “the witch hunt”, especially when their actions appear hasty & alarmist, and ultimately result in the withdrawal of ostensibly beneficial software. This can indeed be pretty annoying. However, I personally side whole-heartedly with “zealots”.

    Does a coder have to release his/her own source code (barring any legal obligations)? Of course not, that’s entirely his/her call. Could the code be malicious? Absolutely. Do we run the same risks when using proprietary video or network drivers? No doubt. Pointing out the potential for malware (however rudely) in this case is not hypocrisy. The same risks are applicable to all proprietary and closed software; choosing to trust one source and not another doesn’t necessarily equate to hypocrisy, and the general tone of this post does not seem to be any more helpful (or different, for that matter) than the witch hunting it derides.

    The fact remains that it *could* be malicious, and the “hunter”‘s post indicates this without outright claiming it *is* malicious. This is entirely acceptable in my mind. While I agree malware writers will be hard-pressed to successfully infect the FOSS community at large, it seems worth pointing out that Ubuntu is generally known to be a very newb-friendly distro, and could be rife with easy-pickings. The warning post, then, seems entirely appropriate. The community at large generally trusts the hardware-specific code from hardware manufacturers themselves (like Nvidia) (or at least begrudgingly accepts the software out of necessity due to lack of viable free alternatives), but a single forum poster has a much further way to go to earn a trustworthy reputation.

    I don’t mean to indicate anything about the OPer’s trustworthiness at all. I simply don’t know anything about him/her, or the code, and I think that’s the point. If you can’t see the code, you never really know exactly what’s it’s doing. (This is one of the inherent superiorities of FOOS.) Reiterating that point, particularly for a more newb-centric crowd seems worthwhile. It seems that a warning in this particular case is prudent, even if the actual warning delivered was more flamboyant than some would prefer.

    Of course, I don’t think trying to strong-arm people into releasing their source code in this manner is the most effective or beneficial. That being said, the community can’t force a particular coder to release his/her code, nor can it prevent particular users from downloading whatever apps they want. We’re each allowed our own decisions. The threats of demons behind every door is there in proprietary software whether someone is aware of it or not; crying wolf doesn’t change that. Everyone is just as entitled to ignore the warnings as they are to heed them. Coders are entitled to not release their source code, and forum goers are entitled to remind others of the risks in using code that cannot be vetted.

  5. matthelmke

    A person who takes the time to create something has the right to license it as they wish. They have the right to expose to the world how they did it or to hide it.

    Others have the ability to choose to enjoy the work according to the terms of the license or walk away. Why people feel the need to be jerks about it is beyond me.

    I wrote about the same topic here, from a different perspective, but coming to the same conclusion. http://matthewhelmke.net/wordpress/2007/12/03/users-who-impose-their-beliefs-on-others/

  6. K.Mandla Post author

    Thanks for the comments. I wrote this in a blur last night before I went to sleep, so I hope you don’t mind if I tack on a few points I overlooked.

    First, I agree wholeheartedly that code should be open. If I were to write something I would (and have, actually) made a point of sharing it without reserve. I agree, it’s the right thing to do.

    But I don’t have to, if I don’t want to. That’s for me to decide. If the code was borrowed, it has to be. If I wrote it clean, I don’t. It offends my sensibilities, but I can actually think of at least one situation where I would keep the code closed — for “educational” purposes, if I can call it that. If I want to learn how to do something myself, I wouldn’t want a thousand patches all making the jump to lightspeed, without allowing me to learn from my own mistakes. Eventually I’m sure I would open it up, but for a short while I’d want to make sure I was getting the chance to solve things myself.

    What railed me about the “malicious” thread is that it wasn’t ever shown to be malicious. It was only accused of it. Is there a potential? Of course. Is it counter to the community principles? Some of them, yes. But it’s McCarthyist to label something malicious without any proof or due process. In fact, in some places, that would be libel.

    Was the code malicious? I don’t know. I probably never will either, since the OP has basically said “screw this,” and kept his/her work to his/herself. Helping others be damned, and I can hardly blame him/her.

    I cringe at the disparity between someone offering a tool and another person screaming bloody murder at it. Without proof, without some sort of evidence that there’s malice, or at least malicious intent, then it’s nothing more than a spoilsport. Let people do as they will. Point out that it’s closed source, refuse to use it, but don’t drag someone through the mud without proof.

  7. nugnuts

    Indeed, though the threat of malicious intent may be there, one does not have to point it out, arguably, maliciously oneself. Such concerns could clearly be relayed much more amicably.

  8. Alejandro

    I strongly believe it’s the programmer’s prerogative to release their software under a FLOSS license. I personally prefer them, although I wouldn’t release EVERY kind of software under such a license (commercial games, for example, are closer to art than to practical software).

    That said, an installer script is a place where I REALLY like to see the source code. Back when Automatix was the ‘bad script’, I remember reading through its source code to try to understand WHY it was so hated by the community. Even though I’m not a great coder, I can see how bad install scripts can generate TONS of damage to an installation. I personally see nothing wrong in warning against them.

  9. johnraff

    Great post at the bottom of Matthew Helmke’s page:
    (poster’s name) | February 19th, 2008 at 12:40 pm

    All of this ranting over a word. The only thing I have to say is that words do not have power except what you give them. If a person chooses to allow a word to be offensive to them then they are the ones with the issue or problem. I used to be offended with several words through my life and I have learned that they do not have any power unless I give it to them. I now feel that I have the power and not the words.

    Anyway, coders are entitled to publish their code, or not.
    Likewise, forum visitors are entitled to point out what they see as *possible* problems. (I don’t recall anyone in that “witch-hunt” thread actually saying QuickStart *was* malicious, just potentially so.)

    What we could be trying to do is to discuss things in a friendly and constructive way. 🙂

  10. anon.

    K.Mandla, I really like your blog, but I have to criticize. As a person heavily invested in how language is used in society, and how it affects people, I have an issue with the word “Jihad” you used in your post. The word, as you know, is associated with the Muslim faith, and does not have a very positive connotation in the West. As far as I understand it, the meaning of the word is conflict, or a variation of it. I understand what you are trying to communicate, but I think there is already enough rhetoric surrounding the Middle East issue, so it’s probably unnecessary to add to that confusion by using that word in passing…

    Sorry to be lecturing, but I care about words a lot.

  11. johnraff

    I’ve just had a quick look at the end of that (100-page!!) thread and have to agree that some posts are quite unecessarily arrogant/agressive/offensive. 😦

  12. dosnlinux

    How can you close source a bash script? The “worst” I would think he could do was obfuscate the code, but the code would still be visible.

  13. dunc

    If we force people to disclose their code, we can’t bandy the word “free” about. It’s as simple as that.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s