SMU Associate Professor Christoph Treude examines the foundations for studies on open-source software and protestware.

"Software developers don't develop everything from scratch," he says. "Just like car manufacturing, you rely on pieces that have been manufactured by others. So, it's the same with software developers, whether in the open source world or industry. They tend to re-use a lot of stuff that others have done."

Open source ecosystems can contain millions of individual items. So what happens if someone adds malware to their particular piece of software to protest, say, the war in Ukraine? Well, that has happened, with the result that some users in Russia and Belarus have had their computers hacked.

For instance, the developer behind software library node-ipc with its more than a million weekly downloads tried to replace all the files on the computers of users in Russia and Belarus with a heart emoji back in March 2022.

"Because of the interconnectedness of the software ecosystem, people who contribute or maintain just one piece of the gigantic puzzle can have quite a bit of power."

Sometimes, a maintainer, the main person driving an open source project, may make an honest mistake when developing software, Professor Treude says. "But more recently, with the war in Ukraine, if maintainers want to raise awareness about something specific, they turn their open source project into malware." In extreme cases, he says, "they've re-programmed the library purposefully to attack machines located in Russia and Belarus."

Others take less drastic action and merely introduce a message or document "urging support for whatever side they're on."

Identifying the main types of protestware

In a paper titled 'In War and Peace: The Impact of World Politics on Software Ecosystems', which was presented at a software engineering conference more than a year ago, Professor Treude and his co-researcher Raula Gaikovina Kula from Japan's Nara Institute on Science and Technology identified three main types of protestware:

1. Malignant protestware—software that intentionally damages or takes control of a user's computer without their knowledge or consent.

1. Benign protestware—software created to raise awareness of a political or social issue but does not take control of the user's device.

1. Developer sanctions which affect a software ecosystem more broadly. For instance, MongoDB decided not to sell its products to Russian users, and GitHub suspended Russian accounts.

'A loss of trust'

Professor Treude says the role of open source in software engineering has shifted over the past decade. In the early days, major corporations such as Microsoft were opposed to open source software "as they believed software should be sold for money and should not be available to everybody for free." However, Microsoft eventually became a major contributor to open source, maintaining its own libraries.