It is, however, assholishness to expect *any* package you’re not personally paying for support on to come as anything other than ‘as-is’ ‘no warranty’ ‘caveat downloader’.
It’s not ‘business’ if you’re not getting paid.
Jonathan Cast
1

What a load of bullshit.

The only thing this package creator had to do was deprecate their package and then others could have forked it if they wanted to continue maintaining it, and then evaluating a new owner’s credentials and work would be relevant. Up until that point it demonstrated that it was reliable, transparent, and not a risk.

Instead they handed it to a random person, giving that person access to millions of users, and that person turned out to be a bad actor.

But sure, I’m entitled and there’s absolutely no blame to be had by the person who controlled the package. And I’m sure you painstakingly deconstruct and vet every single package you use.

Edit: Also, the irony is that someone did painstakingly dissect this malicious attack and pieced together what happened thanks to git history among other things, and then brought it to the larger community so we can even have this discussion about whether the responsibility should’ve been on the owner or the user.

Products must be transparent and honest about how they work and what they do — other industries are heavily regulated. Tech has just moved too fast for regulation to keep up. But regulation is not inherently a bad thing, it’s what protects us from harmful chemicals in our food, hygiene products, etc., and it’s what ensures people aren’t exploited or discriminated against. The list goes on.