Former developer at software company deletes his code to protest its ties to ICE (opens in new tab)

(dailydot.com)

75 pointskonceptz6y ago101 comments

101 comments

"Earlier today, a former Chef employee removed several Ruby Gems, impacting production systems for a number of our customers."

So the developer already had left the company but one of his own Open Source code hosted on his personal github was used in production by Chef Customers ? Really ? That is just Wow. I don't have any strong opinions on whether he did the right thing but this absolutely surprises me. Running a small company, I am very strict against any of us using any personal accounts for anything that impacts our company work especially production. This has to be a no no by default I would assume.

WrtCdEvrydy6y ago

Remember leftpad?

CaptainJustin6y ago

For those interested see: How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

codegeek6y ago

Yes and even though they are similar but I would still argue that npm hellhole is quite different than a direct github library being used by a company in production.

saagarjha6y ago

Not completely related, but the tone of the two tweets linked in the article doesn’t make sense to me. The first is a reasonable request for a comment about an issue that Shanley cares about, but it’s immediately followed by a comment a minute later screaming at Chef to take a certain action while hurling epithets at them in all-caps. How can you possibly assume good faith from the first comment after reading the second? Why didn’t she just go straight to attacking them if that was clearly her intention?

thrower1236y ago

Expecting good faith from shanley given her track record is like yet another frog offering a ride across the river to the scorpion, despite the frog corpses nearly damming the flow downstream. This is just not a person who deserves to be taken seriously.

dogma11386y ago

She has a book to sell :)

konceptzOP6y ago

The technicals of the story are interesting around the software supply chain.

I’m put off by the statement: “I want to be clear that this decision is not about contract value—it is about maintaining a consistent and fair business approach in these volatile times,” he wrote. “I do not believe that it is appropriate, practical, or within our mission to examine specific government projects with the purpose of selecting which U.S. agencies we should or should not do business.”

I hear about practicality all the time at my office and sometimes it’s real and sometimes it’s laziness. This sounds like a little of both but also profit motivated (not saying that’s wrong for a for-profit company).

Interested in your options on code of ethics and the above.

SpicyLemonZest6y ago

It's definitely impractical to say you won't do business with anyone who does things you don't endorse. Imagine an electrician trying to demand a certification that the buildings he works on will host only ethical tenants. You just can't run a company that way; even people who do meet your ethical standards won't do business with you.

If you think that ICE is so uniquely bad that they specifically need to be boycotted, that makes sense. Without inviting any debate on whether it's true, it's a consistent position that can be reasonably applied.

cco6y ago

There were a lot of electricians on the Death Star...

sneak6y ago

You absolutely can run a company that way. I do, as do many others. My company has grossed multiple millions of dollars operating that way.

2 more replies

rjf726y ago

It's a PR statement so I wouldn't read much into it. It's designed solely to yield the least negative response possible in a polarizing situation.

But if we ignore the meaningfulness or truthfulness of the statement, let's take two hypothetical societies. In one society people agree to cooperate and trade with others when there's a mutual self interest, even if they happen to despise their partner otherwise. In the other society, people engage in a substantial degree of scrutiny and only trade and cooperate with others whom they are meaningfully aligned with. Which society do you think would have the better outcomes for whichever metrics you might imagine? I'd start with economic/technological progress, war vs peace, tribal vs unified (not to say homogeneous) society, etc.

I think there is a clear answer to my hypothetical, but perhaps people see things differently. I'd be quite curious to know how.

bradleyjg6y ago

It does seem odd and convenient to say I’ve got no problem making money from this part of the government but I won’t sell to that part of the government. It’s the same Congress and President making decisions for all the parts. Either it’s beyond the pale or it isn’t. I mean, would you do business with ISIS so long as the particular sub-project you were providing material for was innocuous?

moomin6y ago

I don’t think this tracks. I mean, the American Government is also part of the human race. Because we object to one part of the human race should we refuse to deal with any of it?

Humans have to make moral choices about where they personally draw the line and where they draw the boundary. Around the organisation that falsely imprisons Americans and runs concentration camps seems like a starting point.

2 more replies

mcguire6y ago

"Another user pointed out that Chef isn’t the only company to profit from working with ICE. Microsoft has raked in $4.6 million, IBM has received $1.6 million, and CISCO has received about $500,000 through their work with ICE."

Those numbers seem very low. Is this just for one year or one contract?

thrower1236y ago

The 4.6 million for Microsoft is just for Office 365 subscriptions, if I recall correctly.

remarkEon6y ago

Does each government agency have to individually enter into a contract with Microsoft et al.? That sounds wildly inefficient and silly. My guess is that this "user" pulled those numbers out of thin air.

kube-system6y ago

The purpose of a contract isn’t to be efficient with paperwork or describe a high-level view of transactions. It’s a document that very granularly describes those transactions.

Any large organization has many people with the authority to spend money, and each one of those transactions will be supported by a contract.

mcguire6y ago

Yes. Mostly.

The contracts are generally for specific products or services, for a specific time. High-level agencies have a great deal of autonomy and also get to pull their needs out of their own budgets. Lower-level elements within an agency (a NASA center, for example) can also have more or less autonomy.

1 more reply

sethvargo6y ago

Hi there. I’m around to answer any questions!

pertsix6y ago

If I was you, I would not answer any questions, and I would consult a lawyer.

edit: Looks like they were public gems, but in general it's always good advice to consult a lawyer before disrupting commercial or public systems.

AdmiralAsshat6y ago

That would be an insane precedent to send if breaking or removing a FOSS project becomes a crime simply because your project happens to be used in some mission-critical system.

Good way of making sure no one ever contributes to FOSS again.

1 more reply

pjc506y ago

He's not under arrest, Miranda.

1 more reply

beerbajay6y ago

No questions, but thank you for making it marginally more difficult for tech companies to avoid responsibility for whom they work.

frittig6y ago

Do you think that there is a point in having boarders between countries? If so how should they be enforced? If a 17 year "child" crosses the boarder should they be detained (ie. kept in prison until deportation) or should they be allowed to walk free in the US. If a child and parent both crossed the border should only the parents be detained leaving the child to fend for itself in America? Should they be detained in the same cell? ie keep children detained with adult.

I agree that keeping children in cages is not good, but there are solutions. If ice had a bigger budget maybe it could have more beds, larger cells, better food. I don't see how removing enforcement is a solution.

remarkEon6y ago

Using children as a way to take advantage of existing policy is a well known strategy employed by the cartels to get across the border, which is what initially precipitated the separation policy under the Obama Administration. While, sure, ICE having more funding would be good it's still just treating a symptom of a much larger problem (growing strength of Cartel activity and human trafficking).

iamaelephant6y ago

> I agree that keeping children in cages is not good, but

Come on, man.

2 more replies

t-writescode6y ago

What do you think ICE is doing with over $700 per person per night that they would do better with even more money?

sneak6y ago

Free movement of peaceful people is a basic human right; borders are based on entirely arbitrary violence, and are utterly ridiculous and plainly contrary to decent morals and good sense.

1 more reply

corndoge6y ago

Do you think this action had any net impact on ICE operations?

sethvargo6y ago

The goal was not to disrupt ICE, Chef, or any organization thereof. The goal was to remove my code from an ecosystem that was using it for purposes I perceive as evil. I had no goals of disrupting ICE operations or Chef operations.

I suspected a small percentage of people with a hard, runtime dependency would be impacted, but I did not know Chef (the software) had a hard runtime dependency and was pulling that dependency from public RubyGems instead of a mirror they control.

1 more reply

adamnemecek6y ago

It's a political statement. This action receiving news coverage is net impact.

1 more reply

faissaloo6y ago

I don't have a question, I just wanted to let you know what you did was extremely based.

sethvargo6y ago

Extremely based? I’m not sure I understand your comment.

2 more replies

AdmiralAsshat6y ago

Has there been any blowback from other clients/employers since taking the repo offline?

sethvargo6y ago

There have been some angry people on Twitter/HN/Reddit, but I would say “no” in general. Most feedback has been “you broke my stuff, but I don’t mind. thank you for standing up”.

codegeek6y ago

Did you contact Chef asking them to cancel the contract before removing the github code ?

sethvargo6y ago

I contacted them three times. One by mail, twice publicly via Twitter. I received no response. My correspondence did not request cancellation of the contract but rather an explanation. Inside sources at the company confirmed the contract and also noted leadership was forbidding them to speak publicly.

doggydogs946y ago

You would be a fool to hire this guy after this stunt.

WrtCdEvrydy6y ago

What stunt? He removed an open source library from his own personal account because he felt the nazis shouldn't be using his software. It's kinda like when IBM sold the nazis hardware to keep track of the Jews.

sethvargo6y ago

It’s also worth noting that the same result would have happened if I’d died. My will requests the immediate deletion of “all Internet accounts”. Such an action (deleting my GitHub account) would have had a very similar result.

manfredo6y ago

Detaining and deporting people illegally crossing a border is far, far from comparable to the deliberate extermination an religious minority. There are good objections to make regarding treatment of migrants at the border, but this kind of extreme hyperbole seriously cuts away at the credibility of those arguments.

temac6y ago

You would be a fool to buy things from Chef after they show such a trivial vulnerability.

larkeith6y ago

You would be a fool to rely open-source software with no local copies.

dehrmann6y ago

It's also pretty short-sighted because ICE does some uncontroversial things (border crossings, customs), and a lot of the flak they've been getting is from actions pushed down to the from the administration. Now, they're also not known for being defenders for human--or even constitutional--rights.

It seems more effective to donate $2,800 to pick-a-democrat. Or Mark Sanford.

bobthepanda6y ago

While border crossings and customs are themselves not controversial for merely existing, how they are administered is definitely a source of controversy.

autotune6y ago

I am pretty sure that guy bas been doing well enough that he could retire fairly successfully at this point if he really wanted to.

handlegoeshere6y ago

Seth, as a person that has learned a lot from you over the years and benefited from your work while at Chef, Hashicorp, and Google Cloud, this act has only increased my respect for you. Thank you for taking a stand against oppression and injustice.

ykevinator6y ago

Hero. Too many vanity talkers today, not enough doers.

schmookeeg6y ago

I expect that, to be ethically consistent, this developer will also return all salary or payments he received while creating this now-deleted code.

I think leaving a job is a better protest than doing damage to your employer. And perhaps for his next contract, he might insert a clause limiting what his code can be used for. In limiting the utility of the code he sells, I expect he'd be taking a lesser pay rate for it.

konceptzOP6y ago

If you read the article, the developer already was not working for Chef. Chef was/is relying on OSS components which the former develop pulled from the open repository. -edit for clarity.

schmookeeg6y ago

Thanks, I overlooked that somehow. (pre-morning tea over here :) )

I haven't read many OSS licenses. Can't someone just publish an 'unethical' fork and life goes on?

4 more replies

CaliforniaKarl6y ago

That’s something that wasn’t particularly clear to me from the article, but some browsing around GitHub cleared it up.

Chef now has the repo ‘forked’ in to their GitHub account: https://github.com/chef/chef-sugar

sethvargo6y ago

I am in the process of retroactively donating all profits from my personal book - Learning Chef.

I never received money from the code in question, but I’m still doing my personal best to offset impact.

namewasmypw6y ago

> I think leaving a job is a better protest than doing damage to your employer

You either don't protest or you're very bad at it

j / k navigate · click thread line to collapse

101 comments

codegeek6y ago

"Earlier today, a former Chef employee removed several Ruby Gems, impacting production systems for a number of our customers."

WrtCdEvrydy6y ago

Remember leftpad?

CaptainJustin6y ago

For those interested see: How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

codegeek6y ago

Yes and even though they are similar but I would still argue that npm hellhole is quite different than a direct github library being used by a company in production.

saagarjha6y ago

thrower1236y ago

dogma11386y ago

She has a book to sell :)

konceptzOP6y ago

The technicals of the story are interesting around the software supply chain.

Interested in your options on code of ethics and the above.

SpicyLemonZest6y ago

cco6y ago

There were a lot of electricians on the Death Star...

sneak6y ago

You absolutely can run a company that way. I do, as do many others. My company has grossed multiple millions of dollars operating that way.

2 more replies

rjf726y ago

It's a PR statement so I wouldn't read much into it. It's designed solely to yield the least negative response possible in a polarizing situation.

I think there is a clear answer to my hypothetical, but perhaps people see things differently. I'd be quite curious to know how.

bradleyjg6y ago

moomin6y ago

I don’t think this tracks. I mean, the American Government is also part of the human race. Because we object to one part of the human race should we refuse to deal with any of it?

2 more replies

mcguire6y ago

Those numbers seem very low. Is this just for one year or one contract?

thrower1236y ago

The 4.6 million for Microsoft is just for Office 365 subscriptions, if I recall correctly.

remarkEon6y ago

kube-system6y ago

The purpose of a contract isn’t to be efficient with paperwork or describe a high-level view of transactions. It’s a document that very granularly describes those transactions.

Any large organization has many people with the authority to spend money, and each one of those transactions will be supported by a contract.

mcguire6y ago

Yes. Mostly.

1 more reply

sethvargo6y ago

Hi there. I’m around to answer any questions!

pertsix6y ago

If I was you, I would not answer any questions, and I would consult a lawyer.

edit: Looks like they were public gems, but in general it's always good advice to consult a lawyer before disrupting commercial or public systems.

AdmiralAsshat6y ago

That would be an insane precedent to send if breaking or removing a FOSS project becomes a crime simply because your project happens to be used in some mission-critical system.

Good way of making sure no one ever contributes to FOSS again.

1 more reply

pjc506y ago

He's not under arrest, Miranda.

1 more reply

beerbajay6y ago

No questions, but thank you for making it marginally more difficult for tech companies to avoid responsibility for whom they work.

frittig6y ago

remarkEon6y ago

iamaelephant6y ago

> I agree that keeping children in cages is not good, but

Come on, man.

2 more replies

t-writescode6y ago

What do you think ICE is doing with over $700 per person per night that they would do better with even more money?

sneak6y ago

Free movement of peaceful people is a basic human right; borders are based on entirely arbitrary violence, and are utterly ridiculous and plainly contrary to decent morals and good sense.

1 more reply

corndoge6y ago

Do you think this action had any net impact on ICE operations?

sethvargo6y ago

1 more reply

adamnemecek6y ago

It's a political statement. This action receiving news coverage is net impact.

1 more reply

faissaloo6y ago

I don't have a question, I just wanted to let you know what you did was extremely based.

sethvargo6y ago

Extremely based? I’m not sure I understand your comment.

2 more replies

AdmiralAsshat6y ago

Has there been any blowback from other clients/employers since taking the repo offline?

sethvargo6y ago

There have been some angry people on Twitter/HN/Reddit, but I would say “no” in general. Most feedback has been “you broke my stuff, but I don’t mind. thank you for standing up”.

codegeek6y ago

Did you contact Chef asking them to cancel the contract before removing the github code ?

sethvargo6y ago

doggydogs946y ago

You would be a fool to hire this guy after this stunt.

WrtCdEvrydy6y ago

sethvargo6y ago

manfredo6y ago

temac6y ago

You would be a fool to buy things from Chef after they show such a trivial vulnerability.

larkeith6y ago

You would be a fool to rely open-source software with no local copies.

dehrmann6y ago

It seems more effective to donate $2,800 to pick-a-democrat. Or Mark Sanford.

bobthepanda6y ago

While border crossings and customs are themselves not controversial for merely existing, how they are administered is definitely a source of controversy.

autotune6y ago

I am pretty sure that guy bas been doing well enough that he could retire fairly successfully at this point if he really wanted to.

handlegoeshere6y ago

ykevinator6y ago

Hero. Too many vanity talkers today, not enough doers.

schmookeeg6y ago

I expect that, to be ethically consistent, this developer will also return all salary or payments he received while creating this now-deleted code.

konceptzOP6y ago

If you read the article, the developer already was not working for Chef. Chef was/is relying on OSS components which the former develop pulled from the open repository. -edit for clarity.

schmookeeg6y ago

Thanks, I overlooked that somehow. (pre-morning tea over here :) )

I haven't read many OSS licenses. Can't someone just publish an 'unethical' fork and life goes on?

4 more replies

CaliforniaKarl6y ago

That’s something that wasn’t particularly clear to me from the article, but some browsing around GitHub cleared it up.

Chef now has the repo ‘forked’ in to their GitHub account: https://github.com/chef/chef-sugar

sethvargo6y ago

I am in the process of retroactively donating all profits from my personal book - Learning Chef.

I never received money from the code in question, but I’m still doing my personal best to offset impact.

namewasmypw6y ago

> I think leaving a job is a better protest than doing damage to your employer

You either don't protest or you're very bad at it

j / k navigate · click thread line to collapse