Just a quick note to say I learned more about the backstory of this post from 4 comments on HN than trying to run down the rabbit holes of that Twitter thread.
Thanks for that.
Summary from what I can tell:
Faker.js is a JavaScript tool for generating realistic test data.
Marak is the developer of said tool.
He hosts a public version of it on a personal, public GitHub account repository.
For some reason he updated the README of this repo to include links to some conspiracy threads on Reddit.
Microsoft, owner of GitHub, has suspended his GitHub account. No one seems to know why and whether or how it relates to this action.
Various people have opinions and suggestions about this.
mrtksn
Okay, there is more actually.
Marak develops this very useful tool and gives it away for free, receives praise but no money. After realising that there is no money in giving stuff for free with no further plan down the road, gets cranky as others are not giving Marak free services and don't accept applause as a payment method, says that someone needs to pay for it or take over the development. Declares that will no longer do free work for corporations[0] but corporations seems to be unimpressed that the free worker will no longer work.
Since no one seems to be interested to pay for work offered for free, Marak launches SaaS of the tool as fakercloud.com, which is a popular strategy and sometime can actually work.
Unfortunately, according to Marak[1], engineers from Retool copy the SaaS platform and launch it as a part of Retool. Marak realising what has happened offers the CEO of Retool to sell the fakercloud.com to them. The CEO ghosts Marak, maybe because doesn't want give evidence for a lawsuit or maybe doesn't see the point of purchasing a product that the internal engineers already build.
As a result, Marak gets angry and deletes everything and posts conspiracy theory memes and links everywhere. As this tool is a popular one and people depend on it, NPM suspends Marak's account and continues to provide lates working version that Marak gave them for free.
Honestly, I feel for Marak. What a talented engineer and romantic businessman.
Just WOW! It's fascinating when you put a face on an online persona. Sooo, is He doing these things from Guantanamo or was the incident considered "no biggie"?
kingcharles
Charged with a misdemeanor, no data to show he was convicted. Or if he was, it might have been through a program that allowed the conviction to be wiped.
extheat
This man should be thankful he’s not in jail right now. For reasons unbeknownst he basically got a slap on the wrist. If he wasn’t caught who knows what may have happened.
imnotjames
> receives praise but no money
Sort of. faker.js has an open collective [0] which receives some money each year. However, living off a single open source package - even one widely used like faker - is very difficult even in lower cost of living areas.
Nobody has an issue if an unpaid open source developer doesn't feel like developing anymore. The issue here is that he tried to take back what was already out there.
geofft
In the old days that wasn't a problem - when you released some OSS, you put a tarball somewhere and told people to download it. Some of those people were redistributors (mostly Linux distros or BSDs, but also CD vendors, people running FTP sites of neat things, etc.). Many of those redistributors, in turn, got their software to people from further redistributors (mirrors, people burning CDs and passing them around, etc. - up to even a decade ago I was both giving and receiving Ubuntu CDs). More people got your software from a redistributor than directly from you.
If you tried to "un-release" some OSS, not only would that not work, it would be abundantly clear to you that it wouldn't, and moreover that would be clear to you well before you even published the first version, so you wouldn't feel like you were tricked or didn't have the chance to think this through.
With the new world of GitHub and NPM and such and especially tools like Go that pull directly from GitHub, the role of the distributor is basically n more than the role of GeoCities: they provide hosting for you, but it's in your account. So you can take things out of GitHub and NPM just as easily as you can un-publish a web page. (In fact an analogy could be made here to blogs, where you can un-publish, vs. newsgroups/mailing lists, where you can't.) There could be mirrors, certainly, but there aren't necessarily mirrors, and the social norms on both ends are against them: you aren't explicitly asking people to mirror your code and distribute it independently from you, and other people may feel that it is rude/inappropriate to continue to distribute code that you've chosen to stop distributing.
There are certainly very strong advantages in scale of participation (and in the loss of a certain gatekeeping that could not scale) in this new world, but it does seem like it would be good to recapture this one feature of the old world.
CogitoCogito
It's a bit similar to your email address not only being just a way to send you email, but also effectively your identity.
Macha
> For some reason he updated the README of this repo to include links to some conspiracy threads on Reddit.
For more clarity here, he didn't just update the README. He deleted the repo and replaced it with one that only has the modified readme and no content, and pushed an empty package to npm as the latest version (npm has removed the latter).
goblin89
Regarding the Faker.js incident, I’m torn between two positions, however unpopular they might be:
1. If I publish a library somewhere, I expect to have control over its future versions, even if I want to effectively break it. If you have not pinned its version in a lockfile or vendored it, it’s your problem if the new version breaks the API. If you have forked it, you can republish it license permitting, but my thing is my thing. If NPM and GitHub allow themselves to take that control away from me, that sounds like news.
2. My attitude to OSS is “help yourself, then help others”: find income (consult, make a business, join a business, etc.), then contribute when you’re comfortable. If you contribute to the extent that it causes you financial ruin, please don’t contribute.
On the other hand, the alleged copying of author’s SaaS is unequivocally bad if true. One could sue in response, but presumably it might be difficult depending on local laws, and especially if the thief is in another country.
jraph
> If NPM and GitHub allow themselves to take that control away from me, that sounds like news.
That's the thing. When will people realize these obvious downsides when they decide to use these big, centralized platforms to distribute their software?
You are using someone else's computer and this has some actual consequences. If your thing being your thing is important to you, make it so?
I know the problem might be hard for NPM, but noting forces you to use GitHub.
josephcsible
Marak force-pushed to his GitHub repo to remove all prior version history. If all he did was publish a new broken version, then my opinion would be very different.
goblin89
I believe I should be able to do this with my GitHub repo. (Obviously, anyone is free to fork and I don’t expect to be able to do anything about that.)
andrewflnr
Absolutely. In my view the ability to destroy something is nearly the definition of ownership.
goblin89
It’s even more worrying once you consider that both NPM and GitHub are owned by the same company.
tpoacher
I don't see why not. There are perfectly valid reasons for such an act (enforcing a new licence, e.g.), and even if there weren't, it's his repo.
leros
Interesting. So he got upset with his project and pushed a new version to NPM which was an empty repo, breaking lots of people's builds. Fair enough I suppose. It's his project.
Then NPM reverted the last version to unbreak things probably suspecting his account had been hacked. Fair enough.
Now what happens when the author declares it was him? Is it his right to push a broken version? Is it his right to delete the npm package entirely? I'm sure there are some npm terms of service around this, but it's an interesting scenario.
Macha
> Now what happens when the author declares it was him? Is it his right to push a broken version? Is it his right to delete the npm package entirely? I'm sure there are some npm terms of service around this, but it's an interesting scenario.
NPM's terms of service indicate they can refuse service for any reason, and the package's own license of GPL indicates that NPM legally can distribute it without the author's consent otherwise. Even if the package was not license as such, NPM's terms of use indicate you grant them an irrevocable license to distribute what you upload. Unlike some social media platforms, they don't reserve the right to sublicense it, but they do require you agree they aren't the ones liable if someone they distribute it to breaches the license.
aleksandrh
> breaking lots of people's builds
Why would it break people's builds? I can only see this happening if they upgraded faker.js.
Besides, best practice says to check each package's repo before upgrading because of 1) malware, and 2) potentially breaking changes.
Also, many forks exist, and you can point to GitHub versions of a package.
js4ever
In case you want to backup all your Github repos quickly:
your ssh public key should be added on github for it to work
arilotter
--depth one will lose allll your history, and only keep `master` branch, though
azmarks
He did say quickly
SahAssar
Quickly does not imply lossy
damienwebdev
My org has forked this to https://github.com/graycoreio/faker.js from a fairly recent verified commit from Marak, even if its only temporary for some semblance of stability.
pull_my_finger
Maybe they (gh) suspected someone tampering his account? I'm against the "tantrum" (assuming it was about money) he threw, but it's kind of crazy how NPM can just totally nullify his "activism".
josephcsible
It's hard to feel bad for you when you try to do an end-run around FOSS licenses being irrevocable and intentionally cause another leftpad incident.
tacker2000
So now we are getting into the same situation as with Twitter for example, where the people running platform are going to start to be the ultimate arbiters of “rules” and “truths”.
Should github get involved in this like they did? If they thought his account got hacked, maybe yes. But he did it on purpose, so what happens now? Are they gonna reinstate the empty repo?
With all our code so dependent on external sources nowadays, this kind of situation could happen more and more.
mellosouls
Given the rather flakey behaviour (however provoked he feels) by the owner of a quite high-profile project, its not unreasonable to presume caution on the part of github.
The account appears to be there, so either the suspension was temporary, or its visibility is not related to his access to it?
I wonder if this is because of faker project or he did something else to violate GitHub rules.
Because if it’s only related to FakerJS then that’s really fucked up.
punk_ihaq
Yeah it's pretty ridiculous if they locked him out for changing the README + issue comments of his own repo. Curious if he actually violated anything in GitHub's TOS.
Macha
I think changing his own repo his one thing, but using the repo admin ability to edit another user's post reporting an issue to link to conspiracy theories does feel like an abuse of that ability.
cr3ative
"Erased" is the key term here, they rug-pulled a popular NPM package. That's within their rights, but it's going to break things and looks very suspicious, so I'm not entirely surprised their account has been locked down.
viro
> they rug-pulled a popular NPM package. That's within their rights
That sounds like malicious activity. That's normally against most terms of service
sneak
Just because it's malicious doesn't mean it's against the rules (or should be).
He didn't do anything wrong. You should have local mirrors of stuff you rely on.
viro
It's literally a crime. malware is illegal.
cr3ative
Without getting in to the conspiracy theories or watching someone's YouTube, it appears the (oft controversial) author rug-pulled a popular npmjs package.
This is probably Github doing damage control / fixing up build pipelines for everyone while they figure out next steps.
foragerr
But npm already did the damage control and restored an older version, fixing all broken CI pipelines.
What does any of this have everything to do with GitHub?
JimDabell
You know NPM isn’t the only way to install JavaScript packages, right? You can add a GitHub repository directly. Yanking the NPM package doesn’t protect people who are pulling from GitHub directly.
cr3ative
It's a suspicious action, so probably locking the account down until they can get in touch and confirm that's what the user wanted to do, and wasn't hacked etc. Could even be automated between npm and github, a compromise warning or similar. All conjecture though.
A_non_e-moose
Aren't npm and GH all owned by Microsoft anyway?
miltonlaxer
Yes GH and NPM are part of the same company Microsoft
aliswe
is the full story anywhere? people mentioning some conspiracy theory on twitter?
Macha
So, Ghislaine Maxwell, (edit: suspected to be) reddit power mod maxwellhill is currently being tried as an accomplice to Epstein's underage sex trafficking.
The usual conspiracy crowd however are trying to connect it to their old favourite, pizzagate, where they assume basically every left wing figure of note is involved in a satanic child sex cult operating out of a fake pizza shop in DC. They're also implying Aaron Schwartz was murdered to cover it up, rather than driven to suicide by overzealous prosecution of academic journal piracy.
When Marak deleted faker.js, he replaced everything with links to reddit conspiracy threads containing the same allegations.
maxwellhill is suspected but not confirmed to be the same person as ghislaine.
They're also inactive for >1yr.
Important context for people who aren't going to read further.
andromeduck
That's undesrststing it quite a bit. The activity & interests match up well, both high and low activity periods, lots of posting about age of consent, goes dark the same day she's arrested. The name may also be an allusion to her estate.
Public forums are a goldmine for identifying people who have compromising or plain illegal perversions. A rich and diverse source for both buying and selling perversions. Of course she and Epstein and others were using deep access to this site to their advantage. Like wolves to sheep.
vintermann
Another important context is that maxwellhill, whoever they were, were more than just another reddit power user. They were the first user to pass 1 million upvotes, they were instrumental in promoting the site from early on, and Aaron Swartz, of course, was an early reddit dev often credited as a co-founder.
It seems unlikely the early reddit admins would not know who maxwellhill is, whether they were Ghislaine or not.
That said, it seems to me maxwellhill (again, whoever they are) did absolutely not "promote pedophilia". The worst they've been able to find is some questions about age of consent laws.
zaroth
Thanks for the background. Truth really is stranger than fiction. You couldn’t make this stuff up.
I can absolutely see how people would be pulled deeply into conspiracy webs by this stuff.
That said, I wonder what the ToSs say on GitHub and NPM on basically taking over an account that pushes content they don’t personally agree with.
The right thing to do is for someone to properly fork the project and then they can spend the time and money providing a repo for the world to freeload on.
If someone can’t update references quickly, that’s a serious problem they need to fix with their own pipeline if they’re pointing to random third party libraries.
If the content wasn’t illegal the owner has every right to do what they want with it. They have no duty of care or warranty implied or otherwise on their own repo under that license. That’s the whole point! The whole point of pulling the rug out was an important protest on people freeloading on this person’s work.
To now freeload so badly that they effectively cancel the protest and takeover the account is certainly indicative of how ethically bankrupt the freeloaders truly are.
moistly
Speaking of conspiracy…
Data-mining 1980s/early 90s alt.sex and its subgroups would provide interesting insights. In the Wild West days of Usenet, internationally criminal explicit content was being passed along the university backbones. Epstein & Maxwell would have had excellent access to their respective university’s unfiltered Usenet feed. I think it would be relatively easy to identify communication networks in which they and their peers were involved.
BugsJustFindMe
Swartz not Schwartz
Macha
Thanks, the edit window on my post is expired so unfortunately I can't fix it now
bellyfullofbac
That's like the last paragraph of the story... what even is faker.js?
I guess I should do my own research.
Macha
It's an open source library for generating convincing looking mock data for demos so you have a bunch of mixed, convincing names and not just John Doe1, Jane Doe2, test@example.com
It handles about 60 types of data.
It was previously a source of controversy in the open source funding debate when Marak posted a fuck you, pay me where he refused to make any more updates until some of the corporate users started sponsoring the project, which Godaddy eventually did.
aliswe
Im eagerly awaiting a really interesting documentary about these things in a few years. Interesting time to be alive!
NabiDev
GitHub become shit these days. Moving to Codeberge.
Summary from what I can tell: Faker.js is a JavaScript tool for generating realistic test data. Marak is the developer of said tool. He hosts a public version of it on a personal, public GitHub account repository. For some reason he updated the README of this repo to include links to some conspiracy threads on Reddit. Microsoft, owner of GitHub, has suspended his GitHub account. No one seems to know why and whether or how it relates to this action. Various people have opinions and suggestions about this.
Marak develops this very useful tool and gives it away for free, receives praise but no money. After realising that there is no money in giving stuff for free with no further plan down the road, gets cranky as others are not giving Marak free services and don't accept applause as a payment method, says that someone needs to pay for it or take over the development. Declares that will no longer do free work for corporations[0] but corporations seems to be unimpressed that the free worker will no longer work.
Since no one seems to be interested to pay for work offered for free, Marak launches SaaS of the tool as fakercloud.com, which is a popular strategy and sometime can actually work.
Unfortunately, according to Marak[1], engineers from Retool copy the SaaS platform and launch it as a part of Retool. Marak realising what has happened offers the CEO of Retool to sell the fakercloud.com to them. The CEO ghosts Marak, maybe because doesn't want give evidence for a lawsuit or maybe doesn't see the point of purchasing a product that the internal engineers already build.
As a result, Marak gets angry and deletes everything and posts conspiracy theory memes and links everywhere. As this tool is a popular one and people depend on it, NPM suspends Marak's account and continues to provide lates working version that Marak gave them for free.
Honestly, I feel for Marak. What a talented engineer and romantic businessman.
[0] https://news.ycombinator.com/item?id=25032105
[1] https://web.archive.org/web/20211030075524/https://marak.com...
Sort of. faker.js has an open collective [0] which receives some money each year. However, living off a single open source package - even one widely used like faker - is very difficult even in lower cost of living areas.
[0]: https://opencollective.com/fakerjs
If you tried to "un-release" some OSS, not only would that not work, it would be abundantly clear to you that it wouldn't, and moreover that would be clear to you well before you even published the first version, so you wouldn't feel like you were tricked or didn't have the chance to think this through.
With the new world of GitHub and NPM and such and especially tools like Go that pull directly from GitHub, the role of the distributor is basically n more than the role of GeoCities: they provide hosting for you, but it's in your account. So you can take things out of GitHub and NPM just as easily as you can un-publish a web page. (In fact an analogy could be made here to blogs, where you can un-publish, vs. newsgroups/mailing lists, where you can't.) There could be mirrors, certainly, but there aren't necessarily mirrors, and the social norms on both ends are against them: you aren't explicitly asking people to mirror your code and distribute it independently from you, and other people may feel that it is rude/inappropriate to continue to distribute code that you've chosen to stop distributing.
There are certainly very strong advantages in scale of participation (and in the loss of a certain gatekeeping that could not scale) in this new world, but it does seem like it would be good to recapture this one feature of the old world.
For more clarity here, he didn't just update the README. He deleted the repo and replaced it with one that only has the modified readme and no content, and pushed an empty package to npm as the latest version (npm has removed the latter).
1. If I publish a library somewhere, I expect to have control over its future versions, even if I want to effectively break it. If you have not pinned its version in a lockfile or vendored it, it’s your problem if the new version breaks the API. If you have forked it, you can republish it license permitting, but my thing is my thing. If NPM and GitHub allow themselves to take that control away from me, that sounds like news.
2. My attitude to OSS is “help yourself, then help others”: find income (consult, make a business, join a business, etc.), then contribute when you’re comfortable. If you contribute to the extent that it causes you financial ruin, please don’t contribute.
On the other hand, the alleged copying of author’s SaaS is unequivocally bad if true. One could sue in response, but presumably it might be difficult depending on local laws, and especially if the thief is in another country.
That's the thing. When will people realize these obvious downsides when they decide to use these big, centralized platforms to distribute their software?
You are using someone else's computer and this has some actual consequences. If your thing being your thing is important to you, make it so?
I know the problem might be hard for NPM, but noting forces you to use GitHub.
Then NPM reverted the last version to unbreak things probably suspecting his account had been hacked. Fair enough.
Now what happens when the author declares it was him? Is it his right to push a broken version? Is it his right to delete the npm package entirely? I'm sure there are some npm terms of service around this, but it's an interesting scenario.
NPM's terms of service indicate they can refuse service for any reason, and the package's own license of GPL indicates that NPM legally can distribute it without the author's consent otherwise. Even if the package was not license as such, NPM's terms of use indicate you grant them an irrevocable license to distribute what you upload. Unlike some social media platforms, they don't reserve the right to sublicense it, but they do require you agree they aren't the ones liable if someone they distribute it to breaches the license.
Why would it break people's builds? I can only see this happening if they upgraded faker.js.
Besides, best practice says to check each package's repo before upgrading because of 1) malware, and 2) potentially breaking changes.
Also, many forks exist, and you can point to GitHub versions of a package.
apt install git parallel jq -y;
TOKEN=xxxxxxxxxxxxxxxxxxxxx; ORG=yyyyyyyyyyyyyy; page=1; while links=($(curl -H "Authorization: token ${TOKEN}" -s "https://api.github.com/orgs/${ORG}/repos?per_page=100&page=$..." | jq -rc '.[] | {ssh_url} | .ssh_url')); [[ "$links" ]] do GIT_TERMINAL_PROMPT=0 parallel git clone --depth=1 {} ::: "${links[@]}" ((++page)) done
your ssh public key should be added on github for it to work
Should github get involved in this like they did? If they thought his account got hacked, maybe yes. But he did it on purpose, so what happens now? Are they gonna reinstate the empty repo?
With all our code so dependent on external sources nowadays, this kind of situation could happen more and more.
The account appears to be there, so either the suspension was temporary, or its visibility is not related to his access to it?
https://github.com/marak
Because if it’s only related to FakerJS then that’s really fucked up.
That sounds like malicious activity. That's normally against most terms of service
He didn't do anything wrong. You should have local mirrors of stuff you rely on.
This is probably Github doing damage control / fixing up build pipelines for everyone while they figure out next steps.
What does any of this have everything to do with GitHub?
The usual conspiracy crowd however are trying to connect it to their old favourite, pizzagate, where they assume basically every left wing figure of note is involved in a satanic child sex cult operating out of a fake pizza shop in DC. They're also implying Aaron Schwartz was murdered to cover it up, rather than driven to suicide by overzealous prosecution of academic journal piracy.
When Marak deleted faker.js, he replaced everything with links to reddit conspiracy threads containing the same allegations.
They're also inactive for >1yr.
Important context for people who aren't going to read further.
Judge for yourself: https://reddit.com/r/conspiracy/comments/r45a5n/here_is_the_...
It seems unlikely the early reddit admins would not know who maxwellhill is, whether they were Ghislaine or not.
That said, it seems to me maxwellhill (again, whoever they are) did absolutely not "promote pedophilia". The worst they've been able to find is some questions about age of consent laws.
I can absolutely see how people would be pulled deeply into conspiracy webs by this stuff.
That said, I wonder what the ToSs say on GitHub and NPM on basically taking over an account that pushes content they don’t personally agree with.
The right thing to do is for someone to properly fork the project and then they can spend the time and money providing a repo for the world to freeload on.
If someone can’t update references quickly, that’s a serious problem they need to fix with their own pipeline if they’re pointing to random third party libraries.
If the content wasn’t illegal the owner has every right to do what they want with it. They have no duty of care or warranty implied or otherwise on their own repo under that license. That’s the whole point! The whole point of pulling the rug out was an important protest on people freeloading on this person’s work.
To now freeload so badly that they effectively cancel the protest and takeover the account is certainly indicative of how ethically bankrupt the freeloaders truly are.
Data-mining 1980s/early 90s alt.sex and its subgroups would provide interesting insights. In the Wild West days of Usenet, internationally criminal explicit content was being passed along the university backbones. Epstein & Maxwell would have had excellent access to their respective university’s unfiltered Usenet feed. I think it would be relatively easy to identify communication networks in which they and their peers were involved.
I guess I should do my own research.
It handles about 60 types of data.
It was previously a source of controversy in the open source funding debate when Marak posted a fuck you, pay me where he refused to make any more updates until some of the corporate users started sponsoring the project, which Godaddy eventually did.