The Problem

Repositories are great

Public software repositories like the NPM Registry, Maven Central, GitHub, and Docker Hub are great. They offer developers a place to find awesome libraries and applications ready to use and, most of the time, free of charge. This makes developing software safer, faster, and more manageable, a big win for everyone.

Incidents

However, there have been multiple incidents in the past involving software repositories which are cause for concern. Most notably:

• youtube-dl DMCA Takedown on GitHub (Claim): The RIAA issued a DMCA takedown notice due to copyright claims to GitHub, forcing them to block youtube-dl and its forks on the platform. Later, GitHub and its owner Microsoft reinstated the Git repositories (Article) and promised to defend open-source software in the future.
• faker.js and color.js rollback (The Verge Article): The author of these two libraries actively sabotaged them and released new versions. They were imported into software projects due to not pinning and blind automation. This caused a lot of chaos and confusion. As a result, the NPM registry reverted the malicious versions, while GitHub supposedly blocked the author’s account.
• Tornado Cash sanctioned by U.S. Treasury (Article 1, Article 2, Article 3): Popular on-chain privacy-preserving mixer-protocol Tornado Cash was sanctioned by the U.S. Treasury due to money laundering concerns. These sanctions prohibit U.S. citizens and companies from interacting with the Tornado Cash entity and with the on-chain smart contracts, the first time blockchain addresses are sanctioned. This triggered GitHub to suspend the public open-source repositories of Tornado Cash and the user accounts of any user who contributed to the repositories. Furthermore, the centralized domain of the protocol was suspended while the decentralized ENS domain continued to function by serving the frontend via IPFS. Centralized stablecoin provider Circle (USDC) froze all user funds within the protocol, and node access providers Infura and Alchemy blocked access to the smart contracts through their services. Other decentralized applications like Aave started to abide by the sanctions voluntarily, preventing wallet addresses that used Tornado Cash in the past from accessing their services. In the following days, one of the developers was arrested in the Netherlands on money laundering charges.

Such incidents¹ of this magnitude are very rare. Still, they show the importance of repositories and other centralized infrastructure in software development and the power that lies with those who manage them.

Threats

It does not matter whether or not you agree with the actions that were taken. The fact of the matter is that the popular software repositories we use daily are not just centralized software applications but also owned and managed by centralized entities incorporated in the offline world. Hence, they are bound to local and national laws while pursuing commercial interests. Even if they would pledge to uphold the interests of the global software development community, their own interests will always come first.

This leaves software repositories and the software they host vulnerable to cyber-attacks and threats due to legal, political, and economic pressure. Handling DDoS attacks and hacks is a developer’s daily business, but fending off lawsuits and blackmail is definitely not. And if you are anything like us, you would like to stay as far away as possible from such topics.

Censorship

Imagine you are an excellent software developer who created an app that millions use and love. At the same time, your software might be utilized by people for activities that are illegal in some countries. The administrators of some software repositories could be compelled by law enforcement to block access to your software in certain countries or even globally. The latter is especially dangerous as a single government could cripple the global software supply chain.

Manipulation

Even more dangerous is the possibility of manipulation. Only some developers verify downloaded artifacts by for example comparing the checksum with the value provided directly by the developer.² Some dependency tools perform these checks based on data provided by the repository, which is a problem. If the repository acts maliciously, it could change the artifact and checksum to introduce arbitrary code into dependent projects without many people noticing.

Centralized Power

As we all know: With great power comes great responsibility. Millions of people depending on a centralized system controlled by a single centralized entity is fine as long as everybody is happy and we love and respect one another.

This means that we are in for a disaster sooner or later.