Actually, "blacklists", "redlists" and many other "lists of undesirables" weren't cool at all. But every generation or so they unfortunately seem appealing again.
> the list that they're discussing has actually existed for 30 years
Where is this list? Who maintains it?
OC certainly didn't know about it: "We should probably start an open source sanction list of individuals who abuse trust to ship malware"
> When you commit a crime
"crime"? Please link me to the law you think they broke.
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED
So, how is this a "crime"?
> that knowledge never disappears in any country
Not true in any country except maybe North Korea or some other authoritarian state. In any society with checks and balances, verdicts can be appealed, judgements reversed, records expunged and rights restored. This "undo" feature is pretty critical to any legitimate system of justice, as is "innocent until proven guilty". I didn't see any details about the rights of the accused in anyone's blacklisting proposals.
> None of these address what happened in any way.
Yes, it does. MIT licensed software is provided "AS IS, WITHOUT WARRANTY". If you don't like it you can fork it. If you're afraid of a bad commit, vendor it, which is a best practice anyway, for this exact use case.
> Relatively easy for the rest of us to see.
Our entire legal branch of government exists because these lines are not always easy. Judges judge things all the time, and not uniformly. If everything was easy to see, we wouldn't need judges or juries. The interpretation of language or of an act on a case by case basis is where things get tricky.
* What "test" would you apply to code to determine if the developer should be blacklisted or not? Would this blacklist only pertain to malware? Wikipedia (https://en.wikipedia.org/wiki/Malware) defines a few different malware categories: "Many types of malware exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper, and scareware." If the code doesn't fall into one of those categories (as is this case), under what circumstances might you still blacklist the developer?
* If a maintainer stops maintaining their current library and says all future maintenance will be done on a new library, and that new library contains this Russian timezone popup code, would they be blacklisted?
* Would it matter if the "bad code" was intentional or not? Or a joke or not? Or temporary or not? How would you determine the author's intent? Would they have a chance (or be obligated) to respond? Or would you only look at the impact of the code? If you look at the impact, under what conditions would a "bug" get you blacklisted?
* Would you blacklist a developer for making a breaking change to a package? What if the breaking change was politically motivated?
* Who runs and maintains the list? Does this list have an appeals process? What are the rights of the accused?
* How will you disambiguate the list so as not to misconstrue "innocent" developers as blacklisted developers? Will you include their birth name? Social profiles? Emails? Addresses? How will you deal with name changes (someone gets married, or changes their name?), or new online handles?
* What age and definition of a minor will you use? And will minors be given different treatment or excused from the blacklist?
I could go on, but if you're serious about this idea, you'll probably want to communicate it in more detail because a "forever list of bad developers" sounds a lot like a "forever list of communists" or a "forever list of undesirables". If you're not going to make the same mistakes McCarthy (and others before him) did where this list turns into a biased weapon of control and intimidation, then these details will be really important.
> Actually, "blacklists", "redlists" and many other "lists of undesirables" weren't cool at all.
That's nice. That isn't what's happening here.
What's happening here is akin to the list of photos that every restaurant has to prevent people from bouncing bad checks.
Go into the Post Office and you'll see another. Same one as at most grocery stores.
I see that you are trying, as hard as you can, to equate keeping a list of bad actors with political suppression. I reject this. Society is fundamentally built on these things that you're extremifying.
You have a credit score. Go learn about it.
.
> Where is this list? Who maintains it?
Please stop asking me questions that have already been answered.
.
> > > When you commit a crime
>
> "crime"? Please link me to the law you think they broke.
If you remove the surrounding context, you will edit what I said to remove that this was a comparative metaphor, in the effort to manufacture an error.
This isn't very effective, however.
People can just look at the previous comment to see that you've edited what was said in a fashion that significantly changes the intent, and are asking someone to justify something that clearly is not what they actually said, despite being a verbatim quote.
.
> > that knowledge never disappears in any country
>
> Not true in any country except maybe North Korea or some other authoritarian state.
When you edit out that what I said was that a record of past crimes exists in every country, then you might be able to come to a facile conclusion of this form.
In reality, in the United States, criminal records are public and can be looked up online except for minors, and this is true of most modern countries.
.
> In any society with checks and balances, verdicts can be appealed, judgements reversed, records expunged and rights restored.
Though truthful, none of this is in any way related to what I said.
.
> This "undo" feature is pretty critical to any legitimate system of justice
Keeping a text file on github is not an attempt to create a legitimate system of justice.
You seem to be unable to differentiate between a text file and a court of law.
.
> Our entire legal branch of government exists because these lines are not always easy.
Your attempts to turn a simple text file into a valid comparison tom the legal branch of a government of 330 million people are confusing to me.
Do you believe that a person found in such a list has been tried by a court and is incarcerated?
The metaphor you're making seems absurd to me
.
> At this point I have way more questions
They aren't really interesting to me, is the problem
.
> Would you blacklist this contributor if they documented the Russian timezone popup as a feature in the package as the issue creator suggested
Of course not. This person hasn't caused intentional harm. What a weird question.
.
> What "test" would you apply to code to determine if the developer should be blacklisted or not?
My own personal judgement.
I'm not really interested if you find that unacceptable. I am not keeping this list for you.
My approximate rule of thumb is "did they attempt to cause harm?"
If you try to frame this differently, by injecting politics or wild hand waving about your fictional oppressive society, or keep insisting that only North Korea has public court records (it's actually the oppressive regeimes that hide them,) I guess I kind of won't really care
I'm sure that, over time, such a definition might become more nuanced, but your attempt to cast someone keeping a list of "this person tried to harm users" as a form of government overreach just ... just seems silly, to me
I cannot name a business that doesn't have a list of banned bad customers. Maybe in tiny towns or something?
.
> If a maintainer stops maintaining their current library and says all future maintenance will be done on a new library, and that new library contains this Russian timezone popup code, would they be blacklisted?
I have no idea why you're obsessing about a "russian timezone popup code."
These questions are silly. Nobody's blacklisting anyone over a timezone.
It's not clear to me if you just misunderstood what actually happened here, or what
.
> Would you blacklist a developer for making a breaking change to a package?
I make breaking changes to packages all the time. Sometimes it's the right thing to do. Sometimes people disagree. More often than not I do it by accident.
If you are not able to understand the difference between an intentional bad actor and the vague process of software, you are not equipped to be a participant in this discussion.
.
> Who runs and maintains the list?
I'm aware of about 40 of them. One of them is me.
You don't seem to grasp that these lists are common, and are not centralized.
This is not a government court body. Please stop pretending that it is. As long as you act this way, you will fail to understand what's actually being discussed here.
.
> How will you disambiguate the list so as not to misconstrue "innocent" developers as blacklisted developers?
By whatever identity mechanism is appropriate for the given package system. Using the example of feross, github and npm username, as well as email.
This will vary system to system, of course, but whatever common sense equivalent is appropriate would be used.
I have less than zero interest in watching you attempt to deep think about how this could go wrong. These lists are not complicated, and if it actually does go wrong, that person can just say "hey, i'm not that guy, can you fix it," and people will.
You're being deeply unreasonable. These things are common.
.
> I could go on, but if you're serious about this idea, you'll probably want to communicate it in more detail
No thanks. I don't have any interest in these opinions you're attempting to put in front of me. These systems are extremely common, and have been for decades. They've been thought through by tens of thousands of people, and the objections you're making are trivially easily solved.
.
> sounds a lot like
Your often repeated opinion is noted.
.
> "forever list of communists"
No.
.
> or a "forever list of undesirables"
Yes.
.
> If you're not going to make the same mistakes McCarthy (and others before him) did
Imagine thinking this was a reasonable thing to say.
Unlike McCarthy, if we make mistakes and are told, we fix them.
Unlike McCarthy, we aren't ruining lives, ending careers, disbanding university participation, censoring, jailing, or murdering.
I have a hard time understanding why you're reacting so severely to systems that are decades old and have never actually had any of the problems you describe.
If you're unable to tell the difference between a text file on github that lists people who have intentionally caused harm through package managers, and someone who manipulated world government to jail tens of thousands of people, some for decades?
Then I guess I just don't really trust your judgment.
We're not the TSA. Nobody's getting banned from any flights.
We're just a list that says "oh, if your package manager installs something and the owner key or the author keys include this email address, pop a warning and get user confirmation before anything gets executed"
Just so you know, if you're in the United States, and are an adult citizen, you're on dozens of these lists no matter what.
> What's happening here is akin to the list of photos that every restaurant has to prevent people from bouncing bad checks.
No, that list is privately maintained and exclusive to the restaurant. It’s used for internal purposes. You’re talking about a public list used by others for external purposes.
> My own personal judgement.
Sorry, but I don’t know you or trust you. If you want a system people trust, it has to have more thought and transparency put into it than that.
> I have no idea why you're obsessing about a "russian timezone popup code."
The code introduced to the repo linked above creates a pop up if your in a Russian time zone about the war in Ukraine.
> I'm aware of about 40 of them. One of them is me.
Can you link to some?
> These lists are not complicated, and if it actually does go wrong, that person can just say "hey, i'm not that guy, can you fix it," and people will.
I have much less faith in people in positions of power than you do apparently. Especially when they’re arbitration rules are “their own personal judgement”.
> Unlike McCarthy, if we make mistakes and are told, we fix them.
How could someone like me verify this claim? I don’t have a link to the list or documentation of errors being corrected. Plus, it seems like these lists (yours at least) are run by individuals at their sole discretion? What McCarthy lacked was transparency and accountability to others. I haven’t heard how you’ve implemented either of those yet.
> Unlike McCarthy, we aren't ruining lives, ending careers, disbanding university participation, censoring, jailing, or murdering.
You don’t think ending up on a developer blacklist (forever!) would end a career or get them excluded from participating in other developer groups or uninvited from speaking at conferences?
And these lists in history always start with public shaming, and then progress over time from there. It doesn’t start out at maximum evil on day 1.
I’m not saying your list will 100% lead to evil, but “lists of undesirables” has been a precursor to some pretty bad things, so I hope you’re vigilant.
> I have a hard time understanding why you're reacting so severely to systems that are decades old and have never actually had any of the problems you describe.
I’ve been coding since ‘97, running tech companies since ‘08 and reading HN almost every week since ‘15 and I have never heard of such lists until this thread. OC said that the community should start one, and others agreed. No one linked to these lists and said they already existed. This is all very new to me.
I’m perhaps reacting strongly because I know of people who were accused by McCarthy and how destructive and unfair it was. I don’t want to see similar mistakes happening again in a community I’m familiar with and involved in.
This feels very reactionary, and lacking in many safeguards.
> If you're unable to tell the difference between a text file on github that lists people who have intentionally caused harm through package managers, and someone who manipulated world government to jail tens of thousands of people, some for decades?
It’s a text file that’s used to take some action though... Someone recommended pinning a visual indicator to the developer’s avatars (public shaming). Another wanted to identify the developer as someone who “conducted sabotage” with an alert.
And “intentionally caused harm” is where the problem is.
I’m sure you have good intentions. I just don’t like the “forever” stick approach, when the community was built around carrots (stars, forks, blog posts, ratings, instal stats, etc.).
> No, that list is privately maintained and exclusive to the restaurant. It’s used for internal purposes.
Wendy's, McDonald's, and Burger King share their lists, and post them in public.
The lists for all airlines are now being shared by law in the United States. Airlines do not have the privilege of not barring some other airline's violent customer.
This has always been a requirement of participating in American Express.
Credit scores, as were already pointed out to you, are shared between actors and posted in public.
You're being facial recognized at almost every major grocery chain, and the vendor of the cameras is exchanging underlying results. Shoplift a ham at Albertson's in California? You're now banned from Giant Eagle in Pennsylvania, an unrelated company, too.
Drug stores. Fast food. Jiffy lube. Target.
Not even kidding, buddy, just walking down the street gets you put on lists by ATM vendors because they're trying to see if you're casing the joint.
You can't oversee or get yourself removed from any of this. None of it is internal, none of it is privately maintained, and none of it is exclusive.
In the meantime, my list is privately maintained, and you're claiming that's a problem. My list is exclusive, and you're claiming that's a problem.
.
> > My own personal judgement.
>
> Sorry, but I don’t know you or trust you. If you want a system people trust
Your trust is not something I seek.
.
> The code introduced to the repo linked above creates a pop up if your in a Russian time zone about the war in Ukraine.
Thanks. The answer hasn't changed.
What I had clearly said was "caused harm." This does not "cause harm." To me, this seems like a simple concept.
I do not care if you disagree. If you do, make your own list. Or don't.
.
> Can you link to some?
Can? Yes.
Will? No, use Google. You're annoying and I don't care if you believe me.
.
> I have much less faith in people in positions of power
Your faith is not a goal for me.
.
> How could someone like me verify this claim?
Find a mistake and tell me about it, and I'll fix it.
Or, y'know, accept that you generally don't get to verify these lists. You don't have that level of authority.
.
> You don’t think ending up on a developer blacklist (forever!) would end a career or get them excluded from participating in other developer groups or uninvited from speaking at conferences?
That's just not how I would evaluate the situation.
If someone turned up on a blacklist during an interview, and that blacklist gave factual, researchable information about what that person had done, and the person lost that job offer as a result, I would think their actions, not the list, resulted in the lost offer.
You know, like when they call the FBI and ask "is this person on the predator list" before hiring you. If the FBI says "yes," they're not costing you the job, your history as a predator is.
It's kind of wild to me that you seem to be suggesting that I am failing in my responsibility to the bad actor somehow, by permitting the facts of their past to come to light.
.
> I’m not saying your list will 100% lead to evil
Cool story.
.
> I’ve been coding since ‘97
Cool story.
.
> I have never heard of such lists until this thread.
You can get to one of them from the alarm bell on your github account, if you've released any open source.
Your unawareness of social standards in software is genuinely not relevant to me. You can just look these things up, instead of telling me over and over that you don't know about them.
I mean, there's a plant that recycles plastic bottles somewhere in your city, but I bet you have no idea where it is. I don't know where mine is. Does that mean there isn't one? No, that just means you don't know it.
Honestly, assuming you're a regular person in the United States, you actually have heard of a whole lot of these; you just aren't trying very hard to think of them.
.
> This feels very reactionary
Your feelings are not relevant to me, especially with your habit of accusing me of being similar to Joseph McCarthy.
Also, it seems like you're saying "writing down what people did is reactionary." Reactionary has two meanings: 1) to react to something, or 2) to resist sociopolitical change.
There's nothing wrong with reacting to things, and I'm not resisting sociopolitical change, so I guess I'm not entirely certain what point you're trying to make with this heavily loaded word.
.
> I’m perhaps reacting strongly because
The reason is not relevant to me.
.
> It’s a text file that’s used to take some action though
No, it's not.
.
> I’m sure you have good intentions.
Your certainty is not important to me.
.
> I just don’t like the “forever” stick approach
Cool story.
.
Call your bank and ask what a "credit score" is. Those lists are shared too.
Anyone with even a trivial understanding of the world knows that they are absolutely surrounded by this stuff.
What do you think your Uber rating is? Did nobody tell you that the highschool permanent record they talk about is actually real? Did you know your doctor has your charts from your previous doctors, including all their criticisms? Did you know that if you bounce three checks at Walmart, you can't go to Jiffy Lube anymore?
Did you know nine US states have public lists of check fraud people, farmed from any company in the state which wants to participate? Did you know the US Post Office publicly has this nationwide?
They don't have to be formal, either. One thing I really enjoy is telling people they should look themselves up on NextDoor. You're going to be horrified how many lies the Karens who live near you have written about you.
Go tell Amazon how it's Joseph McCarthy and keeping lists of undesirables. Maybe you could hit the big red button and say "holocaust?"
Are you about to tell me how unfair it is that people get cancelled on Twitter, next? Maybe it's not okay that Will Smith doesn't have the right to have the slap forgotten? Maybe it's Joseph McCarthy that The Academy banned him from all Hollywood events for ten years?
Are you aware of the sex offender registry? The arsonist registry? Have you ever heard of the Neighborhood Watch? Does it bother you that the McGruff the Crime Dog kits used to send out lists monthly?
What about Lyft? Are those independent contractors or the company sharing that data around, that when you say racist stuff in the car you can never take a Lyft again?
Do you feel bad for Mel Gibson?
Do you think there's something wrong with Snyk? They have exactly this list, with Marak and so on, on it. They sell this as a service. So does SonarQube.
How do you feel about the Russian oligarchs that the United States has put on a list recently?
Or, on a smaller scale, you can go into any chain hotel - let's just say a Hilton - and take a big fat dump on the ground. Guess what other 35 hotel chains will not rent to you worldwide, afterwards? Are they somehow harming your delicate sensibilities?
What about large franchisees? It's not uncommon for one person to own a bunch of instances of various competing fast food brands in a neighborhood. Where I grew up, at the mall nearest me, the same guy owned a Taco Bell, a Wendy's, and a Subway, all of which are unrelated companies. Do you think he shouldn't pass bad check information between his three stores? If a bad check gets bounced at a Wendy's, and his Subway has a local friend franchise with a different Subway owner across town, is it bad for this Subway owner to tell that Subway owner because the information was originally domiciled in a Wendy's?
Why are you claiming that these systems are ethical when a walled garden exists, but not when it doesn't? How does that actually make sense, without telling me anything about your emotions?
Do you think that if you call them, and say Joseph McCarthy enough times, they'll stop keeping that list, worldwide? Is your monologue that powerful, that it will convince people to change the standard ways of the world?
When you contact Amazon, have you considered asking them how long the notes on your account are? Because if you've ever asked them where your shipment is, they're keeping a list about you too.
I googled the phrase "list of con men," and I got things on CNBC, Wikipedia, Ranker, Money Magazine, a page on Penguin Publishing about a book about this, the BBC, etc. Are all these groups in need of learning rudimentary ethics from you?
What ... what do you think of the news? Is it bad that they tell the rest of the country when a murder happens who did it, or criticize a politician, or whatever? Those are all permanent record. Even the weird public access TV stuff.
When Ashley Judd made a list of rapists in Hollywood, and got the ball rolling on Harvey Weinstein, do you think she was doing a bad thing somehow?
If you want to change this extremely common practice of keeping track of problem people, tell a lawmaker, not me. I don't actually agree with you, that people who harm one another have some weird right to privacy from consequences of their own actions.
For my part, I actually struggle with the US law about hiding this stuff just for minors. I mostly agree with it, but not entirely.
Honestly, sometimes I don't understand why people don't realize that this level of exaggeration makes people less likely, not more likely, to listen.
Please be aware that the second you tell someone they're in any way similar to Joseph McCarthy, your chances of being taken seriously have dropped to epsilon.
> Airlines do not have the privilege of not barring some other airline's violent customer.
> Shoplift a ham at Albertson's in California
> when they call the FBI and ask "is this person on the predator list" before hiring you
> if you bounce three checks at Walmart, you can't go to Jiffy Lube anymore
> nine US states have public lists of check fraud people
> Are you aware of the sex offender registry? The arsonist registry? Have you ever heard of the Neighborhood Watch? Does it bother you that the McGruff the Crime Dog kits used to send out lists monthly?
> you can go into any chain hotel - let's just say a Hilton - and take a big fat dump on the ground. Guess what other 35 hotel chains will not rent to you worldwide, afterwards
> Do you think he shouldn't pass bad check information between his three stores
> I googled the phrase "list of con men," and I got things on CNBC, Wikipedia, Ranker, Money Magazine, a page on Penguin Publishing about a book about this, the BBC, etc.
> Is it bad that they tell the rest of the country when a murder happens who did it
> When Ashley Judd made a list of rapists in Hollywood, and got the ball rolling on Harvey Weinstein, do you think she was doing a bad thing somehow?
> extremely common practice of keeping track of problem people
You keeping equating these developers to criminals. I don’t think it’s a fair comparison.
1) They broke no law
2) There’s no civilized justice system here
> I don't actually agree with you, that people who harm one another have some weird right to privacy from consequences of their own actions.
You agreed to use the code “AS IS”. They have no obligation to you.
> For my part, I actually struggle with the US law about hiding this stuff just for minors. I mostly agree with it, but not entirely.
I think it’s something worth considering. Minor’s brains are still developing as is their ethics and knowledge of the world. Seems harsh to me to associates them with a rash act from their childhood forever.
> Please be aware that the second you tell someone they're in any way similar to Joseph McCarthy, your chances of being taken seriously have dropped to epsilon.
Not end result McCarthy, early days McCarthy where he probably thought he was doing good in the world.
> If someone turned up on a blacklist during an interview, and that blacklist gave factual, researchable information about what that person had done, and the person lost that job offer as a result, I would think their actions, not the list, resulted in the lost offer.
This is why these lists are so powerful. Not everyone bothers to read the details of each case. They see the name on the list and assume they did it. Take any of your criminal list examples above. Do you think other people research these individual cases? No, they assume that if you’re on the list, you did the “bad thing”. They all assume it was the person’s actions that got them on the list. McCarthy supporters would have said the same thing about his list: don’t want to be on it? Don’t be a communist. That’s why transparency and some type of “undo” is so important. Everyone makes mistakes — even the list makers.
It’s clear you’ll keep doing whatever you feel like doing. I just hope at some point you realize that you’re fallible and not a neutral arbiter and to get some outside checks and balances and a variety of thought processes to the task if you want to keep doing this.
Actually, "blacklists", "redlists" and many other "lists of undesirables" weren't cool at all. But every generation or so they unfortunately seem appealing again.
> the list that they're discussing has actually existed for 30 years
Where is this list? Who maintains it?
OC certainly didn't know about it: "We should probably start an open source sanction list of individuals who abuse trust to ship malware"
> When you commit a crime
"crime"? Please link me to the law you think they broke.
Here's the license: https://github.com/Yaffle/EventSource/blob/master/LICENSE.md
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED
So, how is this a "crime"?
> that knowledge never disappears in any country
Not true in any country except maybe North Korea or some other authoritarian state. In any society with checks and balances, verdicts can be appealed, judgements reversed, records expunged and rights restored. This "undo" feature is pretty critical to any legitimate system of justice, as is "innocent until proven guilty". I didn't see any details about the rights of the accused in anyone's blacklisting proposals.
> None of these address what happened in any way.
Yes, it does. MIT licensed software is provided "AS IS, WITHOUT WARRANTY". If you don't like it you can fork it. If you're afraid of a bad commit, vendor it, which is a best practice anyway, for this exact use case.
> Relatively easy for the rest of us to see.
Our entire legal branch of government exists because these lines are not always easy. Judges judge things all the time, and not uniformly. If everything was easy to see, we wouldn't need judges or juries. The interpretation of language or of an act on a case by case basis is where things get tricky.
> The rest of us will act without you
At this point I have way more questions:
* Would you blacklist this contributor if they documented the Russian timezone popup as a feature in the package as the issue creator suggested (https://github.com/Yaffle/EventSource/issues/202#issuecommen...)?
* What "test" would you apply to code to determine if the developer should be blacklisted or not? Would this blacklist only pertain to malware? Wikipedia (https://en.wikipedia.org/wiki/Malware) defines a few different malware categories: "Many types of malware exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper, and scareware." If the code doesn't fall into one of those categories (as is this case), under what circumstances might you still blacklist the developer?
* If a maintainer stops maintaining their current library and says all future maintenance will be done on a new library, and that new library contains this Russian timezone popup code, would they be blacklisted?
* Would it matter if the "bad code" was intentional or not? Or a joke or not? Or temporary or not? How would you determine the author's intent? Would they have a chance (or be obligated) to respond? Or would you only look at the impact of the code? If you look at the impact, under what conditions would a "bug" get you blacklisted?
* Would you blacklist a developer for making a breaking change to a package? What if the breaking change was politically motivated?
* Who runs and maintains the list? Does this list have an appeals process? What are the rights of the accused?
* How will you disambiguate the list so as not to misconstrue "innocent" developers as blacklisted developers? Will you include their birth name? Social profiles? Emails? Addresses? How will you deal with name changes (someone gets married, or changes their name?), or new online handles?
* What age and definition of a minor will you use? And will minors be given different treatment or excused from the blacklist?
I could go on, but if you're serious about this idea, you'll probably want to communicate it in more detail because a "forever list of bad developers" sounds a lot like a "forever list of communists" or a "forever list of undesirables". If you're not going to make the same mistakes McCarthy (and others before him) did where this list turns into a biased weapon of control and intimidation, then these details will be really important.