In a widely circulated article this week, Gerald Benischke is making the open-source community take a hard look at the possible consequences of weaponized code. He’s right to be concerned that everything “open source has achieved over the last 30 years … [is] now at risk of becom[ing] collateral damage.” Why?

It’s not about sitting on the fence or taking sides in a war. It’s about what open source has achieved over the last 30 years and I think that’s now at risk of become collateral damage.

Gerald Benischke

Open Source Softwar(e)

Following the Russian invasion of Ukraine, many western companies cut their services and sales to some or all Russian customers. Open-source NoSQL database MongoDB is among them.

Benischke also looked at how a modified node library now tries to delete files on Russian IPs.

Both of these actions are potentially destructive, albeit in different ways. Both turn open source into a weapon.

Is this even Open Source?

Less damaging but more personally intrusive, a community Terraform AWS module changed its code and added requirements after its Apache license. These “Additional terms of use for users from Russia and Belarus” require those users to agree with three statements. One of those statements is “Putin is a dickhead.” Benischke notes this violates part of the Open Source Initiative‘s definition of open source:

5. No Discrimination Against Persons or Groups.
The license must not discriminate against any person or group of persons.

OSI, The Open Source Definition

What does it even mean to target people who are “from” a certain country? You might be “from” a country you do not currently live in. And not everyone living or born in a country has citizenship there. How a person defines their origins is completely subjective. Nationality is a legal fiction. Ethnicity and race are socially constructed and imaginary. Currently, 10 Million people are stateless — without citizenship in any nation.

Protestware or Malware?

Once our software can’t be trusted, what will happen?

Benischke warns about the possible “unintended consequences” of weaponized and discriminatory code. He’s right it goes beyond protest, especially in the case of the destructive Node library:

“In my mind, the term ‘protestware’ is attempting to legitimize the malicious actions and very much turns open source libraries into weapons to be aimed and fired at your opponent… I do think that these actions are to be condemned — especially as the “delete files based on geofencing IP addresses” has got the potential of causing collateral damage.”

Collateral damage to trust in open source could kill it.

The deeper (and probably the worst) unintended consequence is the loss of trust in the open-source community. Benischke asks if it’s even open-source code if you can’t trust it.

The Open Source Initiative (OSI) has a positive, agreeing response to Benischke’s post. OSI supports “creative” forms of “protestware” that are informational or symbolic, but they distinguish this from weaponized code, which they condemn. However, OSI does not mention trust at all or the consequences of losing it.

Why does trust matter so much?

If you can’t trust your dependencies, who is in a position to take ownership of them all to ensure their secure functioning? Benischke points out that only a few large companies allied with the most powerful nations could afford to do this. Exclusive multinational blocs using trusted but closed source software might emerge if we go down this path. And it’s not as if we didn’t already have enormous challenges with security, maintenance, project sustainability, and the “bus factor.”

This is why Benischke’s concerns about the death of trust as a lethal poison are not far-fetched or of secondary importance to WordPress and open source. If anything, he understates the precarity of the moment we are in.

What about you? Let us know in the comments.

Post Status Postscript

WordPress may not be interested in the US Department of Defense, but the DoD is interested in WordPress

It wasn’t hard to see the weaponization of open source coming long ago. I just thought it would be done by malign individuals and organizations outside the open-source community.

Government actors have been exploiting open (and closed) source code to spy on and harm enemies for a long time. I just didn’t think it would be members of open source projects doing this themselves.

And now we’ve experienced this in the WordPress community, with the Zamir plugin. (See our related thoughts on that story over here.)

These developments are all very concerning. I hope it’s not as bad as Heather Burns says it is, but she may be right:

“The .org OSS project is entirely legally controlled by a US company which could, at any time, fall under scrutiny for providing services to Russia, or be brought into the sanctions regime.”

Heather Burns @WebDevLaw

Is this how we need to think now, of globalized, international, open-source projects and communities? In a somewhat paranoid, suspicious way?

Imagining the worst — the ways open source could be destroyed — reminds me of a conversation I had at the last Post Status Partners Retreat. I asked a WordPress OG why he thought there always seems to be a constant sense of anxiety in the WordPress community — as if a massive disaster is just around the corner. I haven’t seen that in other projects that are healthy even if they have a much smaller market share — like Drupal, for instance. (Speaking of which, you should check out Amy June Hineline‘s comparison of the Drupal and WordPress communities in her recent chat with David.)

My question led to the response that only WordPress can destroy WordPress, it’s so big. Then we had some fun imagining “evil” self-sabotage scenarios that might realistically play out if things went sideways. Later I posed this as a thought experiment with other people — imagine a Screwtape Letters take on WordPress. What would a clever demon do to ruin the project by manipulating its insiders?

Even in the worst-case scenarios, most people agreed that some massive corporations are so dependent on WordPress, they would take it over in their own — in-house (and likely as good as proprietary) distribution. WordPress would not die. The project as we know it might die. The community would die. The software, at the end of the day, is the most durable thing — but it’s not worth much to us if it’s torn away from open source freedoms and an open, cooperative community of contributors.

Can an open-source community like ours survive abandoning a fully globalized, international openness — at least as a possibility and ideal? Would survival in that context be worth anything, or be truly open? I don’t think so. But we’re now looking at a darkening world where every open-source project has reason to worry about that as a non-zero possibility.

— Dan Knauss