In the world of software development, third party software libraries are a common form of code sharing for developers. Most open-source material has been apolitical, but a new form of ‘protest-ware’ is emerging – varying from genuine social protest to deliberate malware.
Third party libraries are made of pieces of code that perform particular functions – created by someone else, the third party – that a developer can then incorporate without having to write detailed code for every function required for the software they are working on.
Computer scientist Dr Christoph Treude, with his colleague Raula Gaikovina Kula, has explored the phenomenon of what he describes as ‘weaponising’ software for political purposes. The ongoing war in Ukraine, particularly, has brought this behaviour into the spotlight.
Dr Treude says the advantages of open-source software (OSS) are that it promises higher quality, better reliability, greater flexibility, and lower cost for developers.
“Projects build reputation over time, with developers gaining trust in using theselibraries. Each ecosystem has their own culture of maintainers, who are empowered to approve and publish contributed code changes.
“But problems arise when a maintainer feels empowered to sabotage their own projects, thus weaponizing their library as protestware – for example with the intention to make users of their library aware of some political stance, or situation,” he says.
Dr Treude says responses from the OSS community have been varied, some supporting the idea of free speech and the right to protest but questioning whether inserting malware into software that unsuspecting users might incorporate into their own work is ultimately self-defeating.
The community was unimpressed by the precedent they saw had potential to be exploited by ‘some random dev on the internet who thought it was the right thing to do’.
The second ‘type’ of protestware the researchers document is more benign in nature, and they cite an example in which a message of support for Ukraine appears in the code but the maintainer attached a README file pledging the module would not cause any damage.
The third case they examine relates to developer sanctions whereby maintainers or their parent companies decide not to distribute their products in Russia, or to allow code from Russian developers to be shared through popular platforms such as GitHub.
Dr Treude says evidence from this research shows “the thin line that exists between protestware and malware”.
“As mentioned by the OSS community, protest is an important element of free speech, with openness and inclusivity being cornerstones of the culture of open source. However, vandalizing open-source projects threatens any possible benefit, and might damage the projects and contributors responsible.”
In response to their explorations in the field of political protestware the researchers have laid out a research agenda based around ten key questions they hope will lead to effective analysis of the role, efficacy and harms that protestware presents.
“Our hope is that answering these questions will help us understand how to sustain and build resilient software ecosystems,” Dr Treude says.
Dr Christoph Treude, Senior Lecturer in Software Engineering, School of Computing and Information Systems, University of Melbourne
Raula Gaikovina Kula, Assistant Professor at Software Engineering Lab, Division of Information Science, Nara Institute of Science and Technology, Japan
Raula Gaikovina Kula and Christoph Treude. 2022. In War and Peace: The Impact of World Politics on Software Ecosystems. In Proceedings of the ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, to appear. (To be delivered November 2022. Preprint: https://arxiv.org/abs/2208.01393 )