Open Source is Charity; It should not be poison

Open source maintainers and developers are gifting us their work, as such we should keep them to the same standard we hold for gift-giving and charity in general.

If someone bake a pie with rotten ingredients and offers it to a public pantry and people end up with food poisoning thera two independent faults:

1. the pantry distributed contaminated food
2. someone made a pie with the intention of poisoning people.

The latter is independent of the former.

This obviously is meant as an analogy with the recent color.js and faker.js incident, where I suggest that the same reasoning should apply.

It is a reminder that the current practice of running random code from the web is dangerous, but it is also an example of someone intentionally masking poison as a gift, npm is a place to distribute non malicious code (it is in the ToS obviously), similarly to how a university got banned from linux development this is an attempt to distribute malware and should be treated like the attack it is.

To be clear: this is not to claim that FOSS or OSS developers owe us good code (or any other kind of work), nor that malware should never be written (there are many reasons to study and reasearch malware), but that you should not distribute malware where it is likely to be mistaken as well-intended code.