Monkey: the satirical Go package used unwittingly by Arduino and SalesForce
Collisions between the personal and the commercial in open-source have become familiar, like when an irate independent developer pulled a widely-used package entirely in 2016 bringing down hundreds of projects. But we don't expect a commercial enterprise to suddenly discover a package they have long relied on forbids any use at all—and does so for a very good reason.
This was the realization for dapr, a “portable, serverless, event-driven runtime,” with 14k stars on GitHub, when an issue was opened last week about its dependency bouk/monkey. Monkey's license, in its entirety, reads:
I do not give anyone permissions to use this tool for any purpose. Don’t use it.
I’m not interested in changing this license. Please don’t ask.
It raises the question: do even corporate entities read the licenses of packages they use? While Dapr was called out, Arduino, SalesForce, and hundreds of other projects also reference Monkey.
Monkey is popular because it fills a real need. It was created by Bouke van der Bijl, a programmer based in Amsterdam, who was eager to add monkey patching to Go. The feature is useful for tests where, say, a repo that talks to a database is swapped out for a component returning test data. The lack of this feature in Go is a testament to the language's resistance to adding the trendy latest features that have bloated languages like Python and C#.
However, adding monkey patching to Go is not a reasonable goal while respecting anything close to "best practices." Like van der Bijl's previous project, Gonerics—which added generics to Go—Monkey asks why this much-desired feature is not already part of the language, and then adds it by any means necessary.
The appeal of van der Bijl's work is in how far he is willing to go to get the language to work the way he wants. For Monkey, this is achieved with assembly-level fuckery predicated on the insight that running Go programs can modify their own binaries.
READ MORE....
