Dependencies: Both Technological And Human, On Display In The Story Of A Developer Who Deleted Code Being Used By ICE

Culture

from the our-interconnected-world dept

Three years ago, we had a pretty fascinating story about how a developer, after getting an ambiguously threatening note from a company about how a bit of his code might violate the trademark of another company, deleted all of his code from NPM (Node Package Manager), a key repository for node.js code. One of the bits that the developer deleted (totally unrelated to the potential trademark dispute) was simple code that tons of websites relied on — leading many of them to break in response. The story raised all sorts of interesting questions not just about trademark, but namespaces, who controls code, dependencies, and much more. Indeed, the story was so interesting to me that I (very loosely) used it as inspiration for a science fiction story I recently wrote that will be released very soon (more on that very soon as well!)

Having been thinking a lot about all of that lately thanks to the story I was working on, I was surprised to see a similar situation pop up last week, with slightly different issues. This one involved an IT automation company, Chef, that helps lots of organizations better manage the configuration of various physical and virtual servers. The story kicked off with some controversy as someone noticed that Chef had signed a contract with ICE. Lots of people got (reasonably) angry about this, following on a pattern that has been playing out in the tech sector over the last few years.

Chef’s CEO put out a pretty lame email and blog post, basically saying “but we signed this deal under the previous administration,” which (among other things) fails to recognize that ICE was pretty fucking terrible during the previous administration as well.

But here’s where the story gets a lot more interesting. A former Chef employee named Seth Vargo, who had created a bit of open source software called Chef Sugar, got quite reasonably upset to learn that ICE was using his code to more efficiently detain children.

“I was having trouble sleeping at night knowing that software?code that I personally authored?was being sold to and used by such a vile organization,” he told Motherboard in an online chat. “I could not be complicit in enabling what I consider to be acts of evil and violations of our most basic human rights.”

Vargo asked the company to explain this (prior to that awful blog post mentioned above) and then, after a few days went by without a response, took down his code from two key repositories: Github and RubyGems. As he wrote:

I have removed my code from the Chef ecosystem. I have a moral and ethical obligation to prevent my source from being used for evil.

Of course, because no one has learned anything, multiple other systems depended on that code being in those repositories, and those systems started breaking as well. Even more fascinating, some of the people who this caused problems for still supported Vargo’s decision:

props to the Google Engineer who yanked code from Chef for working with ICE. You've made my job harder today, but I really don't mind.

— marea rosa (@smrt_fasizmu) September 19, 2019

This certainly started getting much wider attention — leading Chef’s CEO to issue an update on Friday, which first seemed to unnecessarily attack Vargo:

On Thursday, September 19th an action was performed by a trusted community member in violation of the standards of open source software (OSS) development. The individual yanked several RubyGems that they authored while employed by Chef. In order to remove the gems, they first removed the other owners and took unilateral action to yank the gems, violating established processes for making OSS changes and improperly removing property which Chef owned. This ownership has been established through the Github history of commits, licenses, etc. The individual did not have Chef?s permission to remove these items from the RubyGems site.

So, obviously, some may point out that since Vargo’s work was initially done on Chef’s dime as an employee, he has less ground to stand on. But, again, as an act of protest, it’s pretty fascinating.

Also, it turned out to be incredibly effective. By Monday, Chef had completely reversed its position and said that it would not renew its work with ICE:

As many of you know, we began our work with the U.S. Government in earnest in 2014 and 2015. This included DHS and its various departments under a different set of circumstances than exists today. The overarching goal was to help them modernize their computing infrastructure and create a cooperative community of IT professionals inside the government that could share practices and approaches in a similar way to many open source communities. Policies such as family separation and detention did not yet exist.

While I and others privately opposed this and various other related policies, we did not take a position despite the recommendation of many of our employees. I apologize for this. I had hoped that traditional political checks and balances would provide remedy and that our relationship with our various government customers could avoid getting intermingled with these policies. However, it is clear that checks and balances have not provided relief to the fundamental issues of the policies in question. Chef, as well as other companies, can take stronger positions against these policies that violate basic human rights. Over the past year, many of our employees have constructively advocated for a change in our position, and I want to thank them.

After deep introspection and dialog within Chef, we will not renew our current contracts with ICE and CBP when they expire over the next year. Chef will fulfill our full obligations under the current contracts.

The company also promised to donate the equivalent revenue that it had received from the contracts to charities helping people impacted by ICE’s family separation policy.

This whole story is quite interesting on multiple levels. Seeing tech workers recognize that they have some moral stake in how tech they develop is used is quite amazing — especially given the exaggerated (and incorrect) stereotype that Silicon Valley never cares or thinks through these things. That’s never been true, but it’s especially interesting to see people taking some element of ownership over how what they’ve developed is eventually used. Second, it’s another interesting example of how interdependence on code hosted elsewhere is creating a somewhat fragile web in certain places. I’m almost surprised that we haven’t seen this as an attack vector — gaining control over repositories and doing something with them that impacts lots of other services.

Either way, it’s a representation of how interconnected the entire world is — at both a technological and human level.

Filed Under: code, dependencies, ice, open source, seth vargo
Companies: chef