Hey you're the one stating they caused damage. They printed some zaglo strings. Hard to see how that damages anything other than making a few CI jobs fail.

It isn't necessary the package was used in CI jobs only and not production servers.

Then that's on them for not pinning dependencies. You know, ops 101.

Play silly games, win silly prizes.

Thanks for stating the obvious. It isn't silly at all to publish malware and vaporize your reputation, right?; maybe it was good after all, people will become careful.

Maybe he wanted libraries that printed blather in an infinite loop. Then it can't be "malware" to put that in his own repositories.

If other people don't want that, then they shouldn't pull from his repositories. If they do that anyway, then that's their own fault. Nobody forced them to.

That's a foolish hypothetical to construct; however, I don't have to refute it.

That's because the author themselves said in this case, that the reason to submit the malware was to give a "fuck you" to the big corps.

> the author themselves said in this case, that the reason to submit the malware was to give a "fuck you" to the big corps.

Yeah, so obviously he did want libraries that give a "fuck you" to the big corps (by printing blather in an infinite loop). Then it still can't be "malware" to put that in his own repositories.

And my point still stands: If other people -- you, big corps, whoever -- don't want that, then they shouldn't pull from his repositories. If they do that anyway, then that's still just as much their own fault. Because, still, nobody forced them to.

It broke hoobs and crashes its security camera plugins. Most people would consider that pretty heavy damage.

Was the author aware that "hoobs and its security camera plugins" were going to break from this push? Or any prod servers, for that matter?

I see no code in there that checks if it is running in production. In fact, it is a reasonable expectation that people don't throw code into production blindly, but rather test any changes out first.

malware is malware. You don't have a right to change ur software to malware. "wElL yOu ShOuLd HaVe Tested" no you shouldn't push software in bad faith designed to crash apps that use it.

> You don't have a right to change ur software to malware.

Yes, I do. I may not have a right to push malware onto unwilling victims, but I absolutely have a right to change _my_ software however I want.

> "wElL yOu ShOuLd HaVe Tested"

Please, no need to be childish here. I have not taken that tone, nor will I respond to it in kind here.

> no you shouldn't push software ... designed to crash apps that use it.

Show me where a `git push` == "push[ing] software ... to ... apps that use it". When the `git push` is to my own repository, mind you, not someone else's app.

> ... in bad faith ...

Finally, I agree with you on something.

Of course this was in bad faith! That was clearly the point. When I write software and put it out there, and somebody comes and uses it, and I break my software to spite them, I am obviously acting in bad faith towards my users.

But that does not make it malice, or my software malware. I did not reach down into other people's computers/apps and change what they run.

Good to know not to use that software then.

if you want to use non-homekit devices with homekit you kind of have to.

"Kind of" is doing some pretty heavy lifting there. No, you don't "have to"; you're perfectly free to write your own software in stead. Or even just use a prior version of his code that does what you want it to, in stead of blindly updating to one that doesn't. He didn't force you (or the writers of whatever software you're using) to update, now did he?