The right to delete: how faker.js exposed the fragile nature of open source culture, again
It's happened again.
Five years ago, a single programmer brought much of the internet to its knees by deleting some code in his own open source project, left-pad. It caused countless other code libraries to break because they depended on it in their own codebase. This week the author of another popular library, faker.js, has done the same thing with similar results. Once again, the fragility of the digital ecosystem is in the spotlight but so, too, is an age-old tension inherent in the open source concept as it tries to exist in a commercial world. Underpinning that tension is a simple question: who is ultimately responsible for open source code once it has been adopted?
It is a complex question that circles questions around culpability, ownership, ethics and the flawed nature of human motivation. To get to those questions, however, let me start with some background.
The left-pad incident
In 2015 a small code library called left-pad broke the internet after a developer unpublished it. The developer in question, Oakland-based Azer Koçulu, chose to remove the left-pad project from the highly popular code repository npm, after a dispute with the messaging app company Kik over the use of their trademarked name in another of Azer's open source projects. In a nutshell, Kik asked Azer to change the name of that project to something else, Azer refused, so Kik appealed to npm to compel Azer to comply, which they accordingly did. Azer, furious at npm's decision to side with Kik, decided to punish npm by deleting all his repositories from the platform claiming “I think I have the right of deleting [sic] all my stuff from NPM”.
The problem was that many other projects on npm had imported left-pad as a dependency into their own code, so its deletion caused these other projects to break. This caused a huge stir at the time as it exposed the fragility of the modern web ecosystem which had become highly dependent on an ever-growing chain of open-source projects to such an extent that a simple program containing 11 lines of code could wreak total havoc when removed.
In Azer's defence, he did make efforts to transfer his projects to other people and sanity was restored within a few hours, but not before dozens of articles, tweets and forum comments had lit up the programming community.
This week, a very similar thing happened with faker.js, another popular code project that was included in many other projects as a dependency, only this time the problem being exposed is even more complex to decipher.
First, a quick summary of what happened this time.
The faker.js incident
The faker.js project was developed and maintained by a somewhat controversial programmer called Marak Squires. It was a very useful tool that generated fake data which could be used in the development/testing aspects of an app. I have personally used this library to generate random names and avatars in some of the projects we've worked on at Firedrop. More broadly, it had become a very popular library which was being used by hundreds of companies including Fortune 500 businesses.
Marak, who has a history of deleting his own popular projects in the past, declared in 2020 that he had had enough of maintaining the faker.js codebase for free, and demanded someone pay him a six-figure salary to continue supporting it. In a portent of his actions this week, he declared in a code commit:
Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work.
There isn't much else to say.
Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.
His position gained widespread support in the Open Source Software (OSS) community at the time. The sentiment was understandable: nobody wants to work for free, and at a certain point an open source project can become more hassle than it's worth. Depending, of course, on your motivations for developing open source software, but more on that later.
As a next step, Marak decided to try and monetize the faker.js project himself. In a blog post titled "Monetizing Open-source is problematic", he explained how he came up with the idea of launching a cloud version of the faker.js which would enable developers to generate fake data using an API. He could then charge for access to this API at a certain level.
This was a pretty good and sensible idea, and in 2021 he built and launched fakercloud.com and started acquiring early users. Some of these users were programmers from a company called Retool, a VC-backed startup that had been a patron of the faker.js library as they used it in their own tech stack. According to Marak, within a matter of weeks Retool launched their own free variant of the fakercloud concept, using faker.js in its source code.
Marak, unsettled at the apparently blatant attempt at plagiarism, reached out to Retool suggesting that they purchase the faker.js project outright, and hire him as a consultant to support their development efforts. Retool ghosted him. After waiting a month for a reply, Marak posted the above blog post about the incident. The problem was that Retool's code was perfectly legal; it used the license that Marak had included with faker.js in a perfectly legitimate way. There was nothing Marak could really do about it.
Developer tantrums or social activitism?
Marak went quiet on the faker.js saga for several months, until January 5th 2022, when he force-pushed a commit to the faker.js Github repository, unironically numbered version 6.6.6, removed all the project's files and included nothing but a short Readme file containing, simply "What really happened with Aaron Swartz?". And because it was a force-push, all of the previous commits were erased too.
A few days later, he pushed a commit to another popular repository of his, colors.js, this time containing strange code that outputs an American flag to the console in ASCII format, and a javascript function that would execute an infinite loop that could crash people's browsers on execution.
Ironically, the infinite loop contained a bug that would prevent it from working, so he pushed a "fix" a couple of days later to ensure it would.
All of this clearly echoes the actions of Azer Koçulu, with similar consequences. Over 2,500 other libraries included faker.js as a dependency, and it was being downloaded over 2 million times per week at the time of the controversial rage-commit.
The popularity of the faker.js library led to Github suspending Marak's account and npm restoring a previous version of the codebase, sparking fresh debate in the OSS community over whether such interventions are in the spirit of open source and whose fault it is if a deleted codebase breaks other people's projects.
All of which points back to the core question of whether an individual contributing to the open source community should have total freedom to do as he pleases, or whether open source software is a beast of its own that has become so intertwined with commercial software that it needs some kind of sensible oversight to prevent such actions.
The stakes in the debate have been raised with Marak's latest actions, as the man himself has clearly been going through some mental health problems in recent years. In 2020 he was arrested and charged after accidentally burning down his apartment while trying to make homemade bombs, and more recently he has been posting conspiracy theory content surrounding a supposed connection between Ghislaine Maxwell, pizzagate and Aaron Swartz.
Whereas you could argue that Azer Koçulu was taking a principled stand against what he perceived as corporate greed, Marak's behaviour is more indicative of a generally unstable mindset. And yet, both individuals yielded not insignificant power to disrupt the fabric of the modern web.
Who was right? The age-old problem of blurred lines in open source philosophy
Open source has a long and checkered history of conflict with the commercially-driven forces of modern-day existence, framed as the classic battle between utopian ideology and capitalist necessity. The term itself was born out of this conflict, having been coined in response to Netscape's decision to release its Navigator browser source code as free software in 1998, which ultimately led to the foundation of the Open Source Initiative (OSI) in the same year. The goal of the OSI was to promote a more pragmatic approach to free software that would align better with businesses' goals and distance itself from the more radical social activism of the free software movement. This was in opposition to the incumbent Free Software Foundation, headed by Richard Stallman, whose philosophy was very much centered on the idea that all software should be free and available to all, unfettered by commercial interests.
The Open Source Initiative chose the term "open source," in founding member Michael Tiemann's words, to "dump the moralizing and confrontational attitude that had been associated with 'free software'" and instead promote open source ideas on "pragmatic, business-case grounds."
Source: Wikipedia
In that context, an argument can be made that both Azer and Marak, in deliberately disrupting the open source community with their personally-motivated actions, were in violation of the spirit of open source. It's certainly hard to support a non-ideological case for their actions being a positive contribution, if for no other reason than they removed code from the ecosystem, thereby making it impossible for others to contribute (a potential violation of rule 5 of the Open Source Definition, to boot).
On the other hand, the actions of Kik and Retool could also be accused of being against the spirit of open source as examples of corporate bullying, although Retool's neglect to even engage with Marak after clearly copying his idea is arguably an even greater infraction in that regard. At least Kik tried to communicate.
What follows, inevitably, is a moral debate. The arguments for either individual's behaviour here reduce, generally, to a simple question of whether or not their actions constitute a valid form of protest. And if so, what is being protested?
Although the incidents differ in their detail, Azer and Marak's actions both boil down to a tension between the desire to make free software and the need to make money. In each case, it was a commercial entity's attempts to interfere with the motivations of the individual developer that became the trigger point.
Money is a common point of friction in the ideologically-driven world of free software, which should come as no surprise given the very contradiction of the terms "free" and "money" (in all senses of the word "free"). Within the open source community there is often a conflation of the original concept of open source (sharing is good but money is necessary) and free software (free meaning freedom rather than no cost) into a broad anti-capitalist stance, on the basis that commerce relies on control of capital - aka the opposite of freedom. This sometimes leads to ideological conflicts like in Azer's case where his stance was strongly anti-corporate and his response to a corporate was therefore extremely hostile. This was shown in the email exchange that was made public by Kik after the debacle, where Azer's second email reply was:
hahah, you’re actually being a dick. so, fuck you. don’t e-mail me back.
Azer also proposed a fee of $30,000 to change his project's name, although one distinctly gets the sense from his email that his interest was less the actual monetary figure and more the middle finger the unreasonably high number represented:
Yeah, you can buy it for $30.000 for the hassle of giving up with my pet project for bunch of corporate dicks
Source: Medium
Marak, meanwhile, was very clearly out to try and make money from fakercloud and so his grievance was predicated on the corporate intervention presenting a competitive fly in the ointment of his attempts. His communication with the Retool hierarchy was nonetheless far more civilized:
I'm reaching out because I'd like to sell both the faker.js open-source project and fakercloud.com to Retool. I think it would be a huge win for everyone involved including the open-source community. Faker.js needs a solid corporate steward and Retool seems like a perfect fit.
Source: Marak.com via Archive.org
Two very different interactions between individual developers and corporations, yet both interactions led to the same ultimate outcome: an angry developer deciding to rage-quit.
This type of incident is great fuel for the ideological crowd. Big, greedy corporations trying to screw over the little guy will always be a seductive narrative. The problem with these specific incidents is that the little guys in question, by their actions, also ended up screwing over lots of other little guys, if only temporarily. Other developers building open source projects whose code relied on left-pad or faker.js were suddenly given a nasty headache despite being totally unconnected to the events. In the court of open source ethics both Azer and Marak could be found guilty on this basis, although Azer's infraction was certainly less damaging than Marak's due to the size of the library and his good faith attempts to hand over the project, plus his decision to leave a note in the final commit with a suggested fix:
It is generally accepted in the open source community that deleting the entire codebase is bad. Abandonment is the better option in situations where the hosting of the repository can be retained. In the case of Github and npm, hosting is free.
But what of the ethical issue of a commercial entity trying to interfere with an open source developer's work? Well, two things.
Firstly, in the case of Kik and Azer we have to accept that their reason for trying to push a name change was commercially valid. As the released emails state, a company has to be seen to protect its trademarks otherwise they risk losing it. As such, had Azer's kik project gone ahead with that name and gained notoriety there was a real chance that this would have impacted Kik's ability to retain the trademark, which would in turn potentially cost them millions of dollars. Despite what the ideologues seem to think, losing a lot of money is actually a big deal for a corporation that can have real world consequences on their employees' lives. Of course, there is nothing to concretely prove that they would have suffered such consequences, but the stakes are high enough for them not to want to risk it.
In the case of Marak and Retool, the easy answer is that Retool were perfectly within their rights to do what they did and their actions did not technically interfere with Marak's work, merely with his ability to monetize his work. They played the competition game and Marak fell over at the first punch. However, as a tech startup founder myself I do take issue with the way they handled the situation. In the commercial world it is technically acceptable to move on a competitor in the way they did, but to do so with the open source world is bad PR and a poor commercial strategy in the long term. I would personally feel uncomfortable about using an open source developer's own code to create a competitor product to something of his, too. In business, money may come first but morals still matter.
In the debate of right and wrong there are therefore two dimensions to consider: the practical dimension and the ethical one. On the practical level the actions of Azer and Marak were undeniably wrong. The actions of the companies, meanwhile, were - on a legal level at least - technically right. Ethics, on the other hand, are invariably a lot more murky, and here I believe every party got it wrong in different ways.
Motivations
Given the struggles of just these two stories alone, you'd be perfectly rational to question why anybody would want to contribute to the open source community in the first place. You wouldn't be the only one: this very question was the topic of a study by the European Economic Review in 2001 which attempted to extract the main motivations programmers had for contributing to open source. It boiled down to the following:
- Access to a free community: by putting your software out into the OSS world you are opening up to a potentially global team of people who can identify and squash bugs, improve the code and contribute new features for free.
- Personal recognition: as Marak in particular discovered, being a prolific contributor to open source can really raise your profile which should, in theory, lead to interesting work opportunities.
- Ego boosting: the competitive aspect of the programming world is well known, and many contributors were found to be doing so to show off their skills and gain respect amongst their peers.
- Creative expression: open source is not constrained by the needs of corporate enterprise and as such is an outlet for programmers to express their creative side.
If we are to accept that human beings always act out of self-interest, even when performing charitable acts, these motivations make perfect sense. In the case of Azer, Kik conflicted with his desire for creative expression - and possibly his personal ideologies - by demanding he change the name of his repository under the threat of legal action. In Marak's story, his quest for personal recognition proved to be insufficient on its own to generate monetary opportunities, and his frustration at this truth blinded him from being able to effectively leverage his accumulated notoriety.
Both Kik and Retool were also selfishly motivated, but they missed a strategic opportunity to engage with the OSS community in a mutually beneficial way, both choosing instead to ignore the ethical sensibilities of the open source movement and running roughshod over the developers with perfectly legal yet indelicate tactics. They could instead have taken a lesson from Microsoft, the owners of both npm and Github, who figured out a long time ago that working with the OSS community was the better move and are now one of the largest contributors to, and supporters of, open source development in the world. Their motivation is clearly part access to a free community of developers (a truth that sits very uncomfortably with many developers in the OSS world who cling to the ideologies), and also partly the marketing upside within the developer community, which gives Microsoft an advantage in recruitment amongst other things.
So while the principles that underpinned the very first free software movements have long since been inevitably usurped by the practical realities of commerce, open source has to a great extent settled on a model, however delicate, which allows it to coexist with the commercial world in a mutually beneficial arrangement.
And that arrangement has been incredibly fruitful, with projects like npm being the backbone of an incredible period of innovation in the tech space, while commercially-backed open source projects like Microsoft's VSCode have found wide-spread adoption within the developer community who have, in turn, used such tools to contribute even more innovation. At its best, the modern OSS community is a virtuous circle of innovation that creates an unprecedented amount of opportunity for developers.
And yet, incidents like faker.js remind us that it is still fragile.
Responsibility and ownership
And so to the final question of responsibility. If we can accept that developers can delete their code - if not ethically, then at least in practice - then whose responsibility is it to protect end users from the impacts of such events?
The easy solution here is to lean on the open source hosting companies, specifically npm and Github as the largest in this field. Their intervention in the left-pad incident was an interesting test case for such oversight, and while their decision to support Kik did lead to a non-litigious resolution, it also led to Azer's decision to rage-quit that subsequently impacted much of their broader user base. Their decision to roll back the version on faker.js in the more recent example is a more effective remedy to such outcomes, but it does present a potential slippery slope unless the parameters for such decisions are more clearly defined.
Next in the supply chain is the other code libraries that import projects like left-pad and faker.js. There is a strong argument for anybody developing a project with dependencies to take the proper time to evaluate imported libraries at each new release, and develop robust tests to minimize the possibility of a complete break in the event of a dependency snafu. In practice, the pressure to "go fast and break things" leads to these steps often being skipped, a bad habit made even more appealing thanks to the low-effort simplicity of npm's command-line tools that reduce third-party package updates to a simple npm update
command.
And finally, the open source developers themselves also need to accept some responsibility for their own conduct in the OSS community. In choosing to create code for free these developers should also be honest about their motivations and realistic about their expectations. Azer may have felt he was making a stand against corporate greed but he created an avoidable mess for his fellow open source developers in the process. Marak was naive to get upset over a company competing with his own software when he chose to release it under the permissive MIT License in the first place.
Conclusion
Developers are highly intelligent, often sensitive, creative deep thinkers. These attributes have, throughout history, been somewhat at odds with the requirements of commerce and they will continue to be so. The open source community exists in delicate harmony with the commercial world and it is to the credit of all involved that it does so.
And this is exactly why incidents such as the deletion of faker.js are always concerning: not because of the specific damage they cause but because of the potential such incidents have for putting people off the idea of contributing to open source. The truth is that, when done right, open source can be a wonderful strategy for both individuals and corporations alike (in similar ways, even) and it is in everyone's best interest to keep it alive, healthy, and safe.
In that endeavour we are all collectively responsible.
Edit: for those who have been affected by the faker.js or colors.js incidents, there is a helpful write-up on snyk.io with technical details on how to address it.