Menacing green skull and crossbones over a background of green numbers on a horizontally-held smartphone.

An Inside Job: The Danger of Weaponized Open Source Projects

In a widely circulated article this week, Gerald Benischke is making the open-source community take a hard look at the possible consequences of weaponized code. He’s right to be concerned that everything “open source has achieved over the last 30 years … [is] now at risk of becom[ing] collateral damage.” Why?

It’s not about sitting on the fence or taking sides in a war. It’s about what open source has achieved over the last 30 years and I think that’s now at risk of become collateral damage.

Gerald Benischke

Open Source Softwar(e)

Following the Russian invasion of Ukraine, many western companies cut their services and sales to some or all Russian customers. Open-source NoSQL database MongoDB is among them.

Benischke also looked at how a modified node library now tries to delete files on Russian IPs.

Both of these actions are potentially destructive, albeit in different ways. Both turn open source into a weapon.

Is this even Open Source?

Less damaging but more personally intrusive, a community Terraform AWS module changed its code and added requirements after its Apache license. These “Additional terms of use for users from Russia and Belarus” require those users to agree with three statements. One of those statements is “Putin is a dickhead.” Benischke notes this violates part of the Open Source Initiative‘s definition of open source:

5. No Discrimination Against Persons or Groups.
The license must not discriminate against any person or group of persons.

OSI, The Open Source Definition

What does it even mean to target people who are “from” a certain country? You might be “from” a country you do not currently live in. And not everyone living or born in a country has citizenship there. How a person defines their origins is completely subjective. Nationality is a legal fiction. Ethnicity and race are socially constructed and imaginary. Currently, 10 Million people are stateless — without citizenship in any nation.

Protestware or Malware?

Once our software can’t be trusted, what will happen?

Benischke warns about the possible “unintended consequences” of weaponized and discriminatory code. He’s right it goes beyond protest, especially in the case of the destructive Node library:

“In my mind, the term ‘protestware’ is attempting to legitimize the malicious actions and very much turns open source libraries into weapons to be aimed and fired at your opponent… I do think that these actions are to be condemned — especially as the “delete files based on geofencing IP addresses” has got the potential of causing collateral damage.”

Collateral damage to trust in open source could kill it.

The deeper (and probably the worst) unintended consequence is the loss of trust in the open-source community. Benischke asks if it’s even open-source code if you can’t trust it.

The Open Source Initiative (OSI) has a positive, agreeing response to Benischke’s post. OSI supports “creative” forms of “protestware” that are informational or symbolic, but they distinguish this from weaponized code, which they condemn. However, OSI does not mention trust at all or the consequences of losing it.

Why does trust matter so much?

If you can’t trust your dependencies, who is in a position to take ownership of them all to ensure their secure functioning? Benischke points out that only a few large companies allied with the most powerful nations could afford to do this. Exclusive multinational blocs using trusted but closed source software might emerge if we go down this path. And it’s not as if we didn’t already have enormous challenges with security, maintenance, project sustainability, and the “bus factor.”

This is why Benischke’s concerns about the death of trust as a lethal poison are not far-fetched or of secondary importance to WordPress and open source. If anything, he understates the precarity of the moment we are in.

What about you? Let us know in the comments.

Post Status Postscript

You may not be interested in the US Department of Defense, but what if the DoD is interested in your open source project?

It wasn’t hard to see the weaponization of open source coming long ago. I just thought it would be done by malign individuals and organizations outside the open-source community.

Governmental actors have been exploiting open (and closed) source code to spy on and harm enemies for a long time. I just didn’t think it would be members of open source projects doing this themselves.

And now we’ve experienced this in the WordPress community, with the Zamir plugin. (See our related thoughts on that story over here.)

These developments are all very concerning. Unfortunately, there are always some people who seem to care more about criticizing project leadership than clarifying issues constructively. For example, there have been some exaggerated fears and baseless speculations about Zamir as a high-level Rusian counter-intelligence scheme. This kind of talk just muddies the waters.

That said, it’s worth considering that governmental reactions can be unfounded, exaggerated, and punitive too. In fact, they often are. That’s why something like the following scenario strikes me as a credible “worst case” the open-source world faces now:

“The .org OSS project is entirely legally controlled by a US company which could, at any time, fall under scrutiny for providing services to Russia, or be brought into the sanctions regime.”

Heather Burns @WebDevLaw

Is this how we need to think now, of globalized, international, open-source projects and communities? In a somewhat paranoid, suspicious way for our own good? It’s not a pleasant thought.

Imagining the worst — the ways open source could be destroyed — reminds me of a conversation I had at the last Post Status Partners Retreat. I asked a WordPress OG why he thought there always seems to be a constant sense of anxiety in the WordPress community — as if a massive disaster is just around the corner. I haven’t seen that in other projects that are healthy even if they have a much smaller market share — like Drupal, for instance. (Speaking of which, you should check out Amy June Hineline‘s comparison of the Drupal and WordPress communities in her recent chat with David.)

My question led to the response that only WordPress can destroy WordPress, it’s so big. Then we had some fun imagining “evil” self-sabotage scenarios that might realistically play out if things went sideways. Later I posed this as a thought experiment with other people — imagine a Screwtape Letters take on WordPress. What would a clever demon do to ruin the project by manipulating its insiders?

Even in the worst-case scenarios, most people agreed that some massive corporations are so dependent on WordPress, that they would take the project over in their own — in-house (and likely as good as proprietary) distributions. WordPress would not die. The project as we know it might die. The community would die. The software, at the end of the day, is the most durable thing — but it’s not worth much to us if it’s torn away from open source freedoms and an open, cooperative community of contributors.

Can an open-source community like ours survive abandoning a fully globalized, international openness — at least as a possibility and ideal? Would survival in that context be worth anything, or be truly open? I don’t think so. But we’re now looking at a darkening world where every open-source project has reason to worry about that as a non-zero possibility.

— Dan Knauss

Similar Posts


  1. Interesting, in the case of russian war, I think the answer to your question (What does it even mean to target people who are “from” a certain country?) is the one who pays taxes to Russia (at the same time it sponsors their army) should be banned. But from our experience (Crocoblock), we’ve not just banned Belarusian & Russian but left them the opportunity to refresh their license if they don’t support putin regime and war.

    Thank you for the article; it makes me think deeply about WordPress project. 🙂

  2. Thank you!

    Interesting perspective on how to make that distinction among customers. What a terrible situation…

    Re. taxation… there might be supporters of the Russian government’s actions who do not pay them taxes and non-supporters who are required to. Generally, taxation indicates residency, not necessarily citizenship, but the US ties citizenship to taxation no matter where you are living. So does Eritrea, and those are the only two.

    I actually know a person with Eritrean, US, Canadian, and Dutch citizenship — they pay taxes to where they are living but must report to the others as well and potentially pay in other countries depending on business and property holdings. Actually asking customers to position themselves and respond might be the only way to verify if you want them as customers, although it still involves trust.

    The less trust in the world, the worse it is for us all.

Comments are closed.