Programming

16240 readers

67 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 1 year ago

MODERATORS

[email protected]

Open source Git repo owners with open licenses, how do you know your code is being used by a big corpo? (sh.itjust.works)

submitted 2 weeks ago* (last edited 2 weeks ago) by [email protected] to c/[email protected]

19 comments fedilink hide all child comments

How do people find out or know whether your repo which is having MIT or apache or AGPL license is being used by a corpo and profiting from it and not making the code open source or paying license fees?

you are viewing a single comment's thread
view the rest of the comments

[–] 555_1 10 points 2 weeks ago (2 children)

So what you’re saying is you could take down an entire company by introducing a bug?

[–] [email protected] 12 points 2 weeks ago

Or YOU could hack the company by stressing him about bugs and offer your help to fix them.

[–] Perhyte 3 points 2 weeks ago (2 children)

I don't think so, no.

Leaving aside the fact that I don't want to do that:

They've quite sensibly vendored my library, so I'd have to hope they pull in updates without checking the code changes: since it's such a tiny library (excluding tests but including fairly extensive comments, it's less than 100 lines of quite readable code) I don't think it'd be easy to get it past their code review system if I tried to sneak in enough code to take down entire companies.

Also, my GitHub account is tied to my real-world identity, so I'd probably be in a lot of trouble if I somehow succeeded.

[–] 555_1 3 points 2 weeks ago

If it’s less than 100 lines, why on earth don’t they just put that in their own code?

[–] [email protected] 1 points 2 weeks ago (2 children)

"vendored my library"

I'm unfamiliar with this phrase, are you able to explain what it means (or point me towards an explanation)? Is it relating to forking?

[–] [email protected] 3 points 2 weeks ago

It means, at least in the golang world, that they keep a copy of your source for themselves and use it for builds. They don't pull from the public repo every time they build their stuff, so malicious code could only get in with new versions, but they check for that.

[–] Perhyte 1 points 2 weeks ago

They've checked in my code in their own repository, using an automated tool that keeps track of its origin so they can still check for updates. (The build tool knows to check this directory before trying to pull in dependencies from elsewhere)

One benefit to them is that their build won't break if I decide to delete that specific repository (see also: the left-pad incident) or do silly things with version tags (deleting versions, or re-tagging a different commit with the same version number, that sort of thing).

But more relevantly for this thread, it also means that if I release a new version and they upgrade to it, the PR on their repository won't just be incrementing a version number in go.mod and adding an unreadable hash to go.sum: the diff will show all the changes I've made since the version they previously used.