Yet another “brilliant” scheme from a cryptobro. Naturally this caused a gold-rush for scammers who outsourced random people via the gig economy to open PRs for this yml file (example)

  • redcalcium@lemmy.institute
    link
    fedilink
    arrow-up
    80
    ·
    9 months ago

    It’s hilarious that PR author in that example has monkey profile pic. I guess what people are saying about never trusting people with monkey pfp is true.

  • frezik@midwest.social
    link
    fedilink
    arrow-up
    77
    ·
    9 months ago

    Actually, I only want to add one file, tea.yml, to your repository. Because I have a job that requires uploading the file and I also don’t know what it is used for.

    So you want me to merge a file you use on your job and you don’t know what it does?

    I see no issue. Merged!

    • mosiacmango@lemm.ee
      link
      fedilink
      arrow-up
      60
      arrow-down
      2
      ·
      edit-2
      9 months ago

      He’s probably interested in blocking these kinds of PR’s.

      He is now that people are spamming the high profile projects he used as examples in his “get paid” cryptobro scam videos and it’s pissing people off in the FOSS communities hes trying to worm the project into.

      Hilariously, he stated that he would be really unhappy if people were doing this to his actual FOSS projects, which makes me wonder why he didn’t use them in his examples instead of the completely unrealted Node.js and ghost projects.

      Its almost like he made himself getting rich someone else’s problem. Totally unlike crypt bro behaviour, of course.

  • ezchili@iusearchlinux.fyi
    link
    fedilink
    arrow-up
    67
    arrow-down
    1
    ·
    9 months ago

    That’s insane

    Also lol at the people getting mad at the tea maintainer for “name calling” the guy hired to write up the scam PR

    Gig economy or not this idiot should have known better

    • db0@lemmy.dbzer0.comOP
      link
      fedilink
      arrow-up
      67
      ·
      9 months ago

      Lol classic reply from the monkey pfp “I didn’t know, I’m sorry, please don’t ban me, sir”. These fuckers know exactly what they’re doing seeing from how they obfuscated the pr purpose, and act all ignorant when caught. It’s exactly the same behaviour game cheaters exhibit when caught red handed

  • Rob Bos@lemmy.ca
    link
    fedilink
    arrow-up
    47
    arrow-down
    2
    ·
    edit-2
    9 months ago

    Honestly doesn’t sound like a terrible idea on paper, but this spam outbreak could kill it before it gets off paper in a real way. Giving devs a bad taste will stay around a long while.

    Edit: and of course the well-earned general attitude toward cryptocurrency as scammer playgrounds is automatically putting it way in the red too.

    • FlumPHP@programming.dev
      link
      fedilink
      arrow-up
      26
      ·
      9 months ago

      Dude also used a LLM to generate descriptions for the packages he’s serving from his package manager. And of course, it got them wrong, creating a headache for the actual package maintainers

    • chicken@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      17
      ·
      9 months ago

      I do like the idea of streamlining donations to open source projects directly through a package manager, and crypto seems like a good fit for that (decentralized, uncensorable). The issue here seems similar to knowing what charities are properly using funds; making a system to make decisions about how to spend money is hard when there’s so many people looking to misdirect it to themselves, and the point of this would be to relieve the people who would be donating the money from putting effort into doing the research themselves, so that big problem has to be solved.

  • Kusimulkku@lemm.ee
    link
    fedilink
    arrow-up
    38
    arrow-down
    1
    ·
    9 months ago

    which should prevent idiots like @onedionys from being able to figure out how to create the file.

    Wow, slow down @mxcl. Calling people names is not constructive not warranted here.

    Lmao fuck off

  • nothacking@discuss.tchncs.de
    link
    fedilink
    arrow-up
    19
    ·
    edit-2
    9 months ago

    Why does the tea project not have users claim ownership of GitHub profiles. That way it could be retroactively applied with no effort on the user or maintainer.

    • Cethin@lemmy.zip
      link
      fedilink
      English
      arrow-up
      5
      ·
      9 months ago

      I assume it’s because they don’t just want to count owners but also maintainers. How do you count maintainers? Does one accepted PR count? If not, how many? Counting owners only that would be fine though.

  • tranxuanthang@lemm.ee
    link
    fedilink
    arrow-up
    15
    ·
    9 months ago

    It’s sad that a lot of the username come from Vietnam (my country). I remember when the Stellar airdrop announced there were people trying to buy GitHub account for 3-5$ for “their company’s project”. Many people do the thing that called “MMO” like that here, that doesn’t realistically provide any value. They just want to get rich as fast as possible with only simple jobs such as copy and paste.

    • flying_sheep@lemmy.ml
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      9 months ago

      I greatly respect the way Vietnam has put things like stable rice prices over Western money. As far as I understand it, this allows for a society where nobody lives in abject poverty. But it also prevents people from getting rich quick by milking their own people. So if I got all of this right, it’s not surprising that some people encountered the idea of getting rich quick through the Internet and try that now.

      • chebra@mstdn.io
        link
        fedilink
        arrow-up
        4
        ·
        9 months ago

        @flying_sheep

        > nobody lives in abject poverty. But it also prevents people from getting rich quick by milking their own people

        lol… no… not at all

          • chebra@mstdn.io
            link
            fedilink
            arrow-up
            3
            ·
            9 months ago

            @flying_sheep probably yes, but if you are looking for a country where people are not living in poverty, where the state takes good care about them or where scammers can’t get rich quick, then Vietnam is unfortunately not it.

            • flying_sheep@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              9 months ago

              Yeah, I think the only thing I really believe about it is that it was a good move to decline the world bank’s conditions for giving Vietnam a loan. Those conditions would have involved allowing international investors to buy land and speculate with food. I think having the ability to fix e.g. rice prices as a government can be very beneficial to a country.

              But I don’t want to have an illusory view of how things really are if that’s also wrong.

              • chebra@mstdn.io
                link
                fedilink
                arrow-up
                1
                ·
                9 months ago

                @flying_sheep I’m with you on that. They protect their own land and economy and it’s only now slowly opening up, they don’t want foreign influence. On the other hand, that means they have total power over their citizens. Having prices dictated by government is cool except if you are the producer. And the prices are still going up anyway, and there is a huge risk regarding rice and climate change, that could have a serious effect in 10-20 years. But come visit, there are many great things too.

                • flying_sheep@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  9 months ago

                  Thanks! Yeah, I’ve been there a few years ago and it was lovely. I definitely want to come again some time.

  • nayminlwin@lemmy.ml
    link
    fedilink
    arrow-up
    5
    ·
    9 months ago

    I’ve seen video ads claiming to show you a way towards passive income from other people’s videos somehow. Now it’s coming to open source projects…

    • towerful@programming.dev
      link
      fedilink
      arrow-up
      5
      ·
      9 months ago

      Ive seen an uptick in twitch users offering graphics packs for streamers.
      I presume some company has figured out the prompts to get AI generated emote packs, and now hire people to offer this service randomly to small/medium streamers.

  • CrayonRosary@lemmy.world
    link
    fedilink
    arrow-up
    2
    arrow-down
    4
    ·
    9 months ago

    Am I stupid? How is this in any way confusing?

    I kept re-reading this line and it made no sense. All I need to do to claim ownership of a project is merge a pull-request? Do I own Laravel because I’ve gotten a pull request merged? (emphasis mine)

    Merging a pull request and having a pull request merged are two completely different things, and one very much requires you to own the project or have contributor rights to it. Which is exactly what the scammer is looking for proof of.

    How was the author confused by this? Or am I somehow the dummy here?

    • chebra@mstdn.io
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      9 months ago

      @CrayonRosary having a pull request merged is in no way a proof of ownership of the repo, or a sign that the owner wants to participate in this scheme. There are better ways to prove ownership. It’s relatively easy to slip in some file unnoticed, or falsely explain during the PR process what the file represents. So choosing this way of validation is a huge red flag about the whole scheme. It motivates people to falsely claim ownership of popular repos.

      • CrayonRosary@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        having a pull request merged is in no way a proof of ownership of the repo

        That’s literally what I was saying! That was the entire point of my comment!

  • toastal@lemmy.ml
    link
    fedilink
    arrow-up
    33
    arrow-down
    131
    ·
    edit-2
    9 months ago

    The easy red flag here is YAML. It’s a hideous, overly-complex format for anything so of course a scam would choose it.

        • jeffhykin@lemm.ee
          link
          fedilink
          arrow-up
          41
          ·
          edit-2
          9 months ago

          I have read the 1.2 spec (I’m trying to make a round trip parser for JS, and I do maintainance on a fork of the rumel yaml python package). I actually think its very well thought out, with things I hadn’t considered like future extensibility, streaming applications, and data-corruption detection.

          The diagrams, color coding, and less-formailty of the spec was much appreciated. Especially compared to something like the ECMA Script spec, which reads like a math textbook had a child with a legal document.

          I’m not saying YAML is perfect; round trip (the thing I’m working on) is nearly impossible because it wasn’t a design goal. It has a few too many features (I’ve never seen a declaration in the wild), but it does a good job at accomplishing the creators goals, and the additional features basically only slow down parser-implementers like me. I often pick it because of the tag support, which I’ve struggled to find an equivalent for in other serialization languages. I use anchors in recursive data structures, and complex keys for serializing complex data structures (not human readable). The “document end” marker has been nice when I’m worried about detecting partial-writes. And the merge key is nice for config files.

          The application/perspective matters. Yaml might be bad for you but its not bad for everyone.

          • toastal@lemmy.ml
            link
            fedilink
            arrow-up
            1
            arrow-down
            10
            ·
            edit-2
            9 months ago

            Even if anchors are pretty novel… I’ve watched myself & others fail for things that seem like they should be simple like scalars, quoting, & indentation rules all for being confusing (while failing to understand how/why the tab character isn’t supported).

            • theherk@lemmy.world
              link
              fedilink
              arrow-up
              7
              ·
              9 months ago

              That sounds like a skill issue. Something isn’t bad because you don’t understand it. Suggesting quoting is an issue for yaml is beyond the pale; it happens to be an issue everywhere.

              • jeffhykin@lemm.ee
                link
                fedilink
                arrow-up
                2
                ·
                edit-2
                9 months ago

                Despite my love of yaml. I actually think he has a small point with unquoted strings. I teach students and see their struggles. Bash also does unquoted strings and basically all students go years and years without realizing

                cat --help
                cat "--help"
                # ^ same thing
                
                cat *
                cat "*"
                # ^ not same thing
                
                cat $thing
                cat "$thing"
                # ^ similar but not the same 
                

                To know the difference between special and normal-but-no-quotes you have to know literally every special symbol. And, for example, its rare to realize the -- in --help, isn’t special at a language level, its only special at a convention level.

                Same thing can happen in yaml files, but actually a little worse I’d say. In bash all the “special” things are at least symbols. But in yaml there are more special cases. Imagine editing this kind of a list:

                js_keywords:
                - if
                - else
                - while
                - break
                - continue
                - import
                - from
                - default
                - class
                - const
                - var
                - let
                - new
                - async
                - function
                - undefined
                - null
                - true
                - false
                - Nan
                - Infinity
                

                Three of those are not strings. Syntax highlighting can help (which is why I don’t think its a real issue). But still “why are three not strings? Well … just because”. AKA there isn’t a syntax pattern, there’s just a hardcoded list of names that need to be memorized. What is actually challeging is, unless students start with a proper yaml tutorial, or see examples of quotes in the config, its not obvious that quotes will solve the problem (students think "true" behaves like "\"true\""). So even when they see true is highlighted funny, they don’t really know what to do about it. I’ve seem some try stuff like \true.

                Still doesn’t mean yaml is bad, every language has edge cases.

                • theherk@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  9 months ago

                  While the subjective assessment that quote handling in yaml is worse than bash is understandable, it is really just two of many many cases where quotes complicate things. And for a pretty good reason. They are used to isolate strings in many languages, even prose. They, therefore, always get special handling in lexical analysis. Understanding which languages use single quotes, double quotes, backticks, heredocs, etc and when to use them is really just part of the game or the struggle I guess.

              • toastal@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                9 months ago

                Most languages require you to put quotes around strings as the norm… breaking that is part of what causes all of the confusion in the first place. Better design upfront would lead to less common errors. I have way more quoting issues in YAML than I do JSON, Nix, Nickel, Dhall, etc. because they aren’t trying to be cute with strings.

                • jeffhykin@lemm.ee
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  9 months ago

                  When you’re editing yaml, why not just always write JSON?

                  Almost all nix attr keys are unquoted strings. Maybe I’m missing the point list, but I kinda wouldn’t expect it to be on the list.

            • jeffhykin@lemm.ee
              link
              fedilink
              arrow-up
              1
              ·
              9 months ago

              Its easy for me to say “just start writing JSON in the yaml. It doesn’t get more simple than JSON”, but actually I do think there’s a small point with the unquoted strings.

              Back before I knew programming, I was trying to change grammar settings sublime 2, which uses yaml. I had no idea what yaml was. The default setting values used unquoted strings fot regex. I knew PCRE regex and escapes, but suddenly they didnt work, and when I tried to match a single quote inside of regex that also didn’t work. I didn’t know I was editing yaml file (it had a .tmLanguage extension). Even worse, if I remeber correctly, unparsable settings just silently fail. Not only did I have no errors to google, I didn’t have any reason to believe the escapes were the cause of the problem (they worked in the command line). Sometimes I edited the regex and it was fine, and other times it just seemed to break. I didn’t learn about quoting in YAML until years later.

              For me that was an unfortuate combination, which was exacerbated by yaml unquoted weirdness. But when you’re talking about “did you read the spec” that’s a whole other story. .nan for nan, tabs vs spaces, unquted string weirdness, etc should just be one error message+google away. I think they’re a small hiccups with what is overall a great format.

    • umbraroze@kbin.social
      link
      fedilink
      arrow-up
      40
      arrow-down
      1
      ·
      9 months ago

      Brief history of YAML:

      “Oh no! All of these configuration file formats are complicated. I want to make things simpler!”

      (Years go by)

      “…I have made things more complicated, haven’t I?”

      YAML is generally good if it’s used for what it was originally designed for (relatively short data files, e.g. configuration data). Problem is, people use it for so much more. (My personal favourite pain example: i18n stuff in Ruby on Rails. YAML language files work for small apps, but when the app grows, so does the pain.)

      • db0@lemmy.dbzer0.comOP
        link
        fedilink
        arrow-up
        26
        arrow-down
        1
        ·
        9 months ago

        Ansible is using YAML and it’s orders more readable than any other config engine, like puppet or cfengine.

        • pastermil
          link
          fedilink
          arrow-up
          3
          ·
          9 months ago

          Ideally, yes it can be beautifully written, certainly more than bash scripts.

          With that said, I’ve also seen some hideous ansible scripts…

      • toastal@lemmy.ml
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        edit-2
        9 months ago

        originally designed for (relatively short data files, e.g. configuration data)

        This I can get behind. But because it’s not bad in those spaces folks think it’ll be a good idea in all spaces. Anchors do neat things, but organizing large files with YAML’s weird rules around quoting, & no support for tab indentation rub me the wrong way.

    • FooBarrington@lemmy.world
      link
      fedilink
      arrow-up
      18
      arrow-down
      2
      ·
      9 months ago

      What? I love having 20 ambiguous ways to express the same data with weird and unexpected conversion rules. JSON is so much worse - if data types are explicit and obvious, how can I properly express my feelings when writing a config file?

    • rtxn@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      1
      ·
      edit-2
      9 months ago

      And what would your ideal, legible, general-purpose data markup language be? XML?

      • Kogasa@programming.dev
        link
        fedilink
        arrow-up
        10
        arrow-down
        1
        ·
        edit-2
        9 months ago

        Yaml Ain’t Markup Language: am i a joke to you

        (JSON for data, TOML for configuration)

        • rtxn@lemmy.world
          link
          fedilink
          English
          arrow-up
          19
          arrow-down
          1
          ·
          9 months ago

          I’ve used both YAML and a TOML-adjacent INI format for Ansible. While I wouldn’t use YAML for massive data serialization (because significant whitespaces are fucking stupid), it’s much better suited for manual data entry compared to most options, including TOML, when nested data structures are required.

          And if YAML’s structure is too complicated, that’s honestly a skill issue.

          • Kogasa@programming.dev
            link
            fedilink
            arrow-up
            11
            arrow-down
            1
            ·
            9 months ago

            Not that YAML’s structure is too complicated, but its syntax is too flexible. All the shit about being whitespace sensitive yet with whitespace errors leading to a syntactically valid YAML document. TOML’s syntax is rigid which makes it unsuitable for expressing complex nested data structures, which is good because that’s not what you should use TOML for. Ultimately the dependence on a highly flexible baseline language like YAML to create complex DSLs is a failure on the developers’ part, and the entire configuration system should be reworked.

            • moonpiedumplings@programming.dev
              link
              fedilink
              arrow-up
              4
              arrow-down
              1
              ·
              edit-2
              9 months ago

              Do you use a linter like the ansible vscode extension?

              I used to hate writing ansible, and yaml, until I installed the ansible lint vscode extension, and everything became much, much easier.

              Later on, when I was working on a docker-compose, I noticed that the vscode yaml extension (which the ansible extension pulled in as a dependency) caught errors. It’s quite intelligent, able to spot errors exactly like what you mentioned, where the yaml syntax is correct, but the docker-compose, or the ansible syntax is wrong.

              • Kogasa@programming.dev
                link
                fedilink
                arrow-up
                3
                ·
                9 months ago

                Of course. If you’re working in a DSL that’s popular enough for someone to have written a good schema/parser for then tooling can help.

          • toastal@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            9 months ago

            Significant white space is awesome! Not supporting tabs tho shows you don’t know what you are doing, YAML.

            • Trail@lemmy.world
              link
              fedilink
              arrow-up
              2
              arrow-down
              2
              ·
              9 months ago

              They very well know what they are doing. Take your filthy tabs and get out of here. Spaces only.

              • CrayonRosary@lemmy.world
                link
                fedilink
                arrow-up
                4
                ·
                edit-2
                9 months ago

                Tabs for indentation, spaces for alignment. It’s perfect. Lets people visually indent as much as they want in their settings, but manually aligned things stay manually aligned. Forcing indents to always be… whatever number of spaces you personally like is dumb.

                Plus then you can outdent with a single Backspace in every text editor ever.

      • toastal@lemmy.ml
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        edit-2
        9 months ago

        Depends on the use case but XML is good for markup—especially if you need extensibility.

        For config, Nickel & Dhall take the cake for being typed & having LSPs so the configuration writer can get immediate feedback about possible options (while eliminating invalid states) without requiring the manual—with configuration readers not needing to mess around with marshaling their types. Both these configuration languages let you import files & write little loops to make your config more DRY & makes maintaining large files (like say Kubernetes) easier.

        • rtxn@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          9 months ago

          XML is great if the (de-)serialization is already implemented. Otherwise traversing the document is a massive pain.

          • toastal@lemmy.ml
            link
            fedilink
            arrow-up
            3
            ·
            9 months ago

            True. Something like XPath can really help & there are use cases where that is more concise but requires loading XPath into your head like Regex (which tends to get unloaded). The extensibility shines tho as seen by XMPP continuing to this day with very good backwards compatibility with 2 decades of updates since everything in an extension to the base.

    • sep@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      9 months ago

      I see you get downvoted a lot. But as a norwegian that repeatedly have run into the norwegian problem when trying to use some program… i see you.