DevOps darling Chef had a nightmare Thursday after it emerged the software biz had inked a deal with US immigration, which sparked protest and a baffling counter-response.
Here's how it went down. Earlier this week, Chef, an app configuration specialist, was publicly called out for selling $95,000 (£75,000) of licenses to Uncle Sam's Immigration and Customs Enforcement, the controversial agency best known for its recent hits I Separated Asylum-Seeking Families At The Border and What's A Concentration Camp. The one-year software supply deal, brokered by a reseller, kicked off in August.
Open-source programmer and DevOps guru Seth Vargo, deeply unhappy with this arrangement, yanked offline some of his Ruby Gems – software packages for Ruby devs – that made Ruby-based Chef a lot easier to use. In particular, he took down the popular and useful Chef-Sugar, which over the years has racked up more than 20 million downloads.
"I'm not trying to make a political statement," Vargo told The Register on Thursday. "As software engineers, we have to abide by some sort of moral compass. When I learned that my code was being used for purposes that I perceive as evil, I had to act."
The withdrawal of the Gems not only drew attention to Chef's deal with the US government, it also broke, to some extent, customer deployments that were relying on Vargo's now-yanked Apache-licensed source.
"I apologize for the disruption to your workflow," the programmer noted on GitHub. "I will be happy to restore the old repository and Gem versions if Chef cancels their contract with the agency."
Amid said disruption, and presumably at best to keep production code in the field working, Chef's principal engineer Marc Paradise approved a staggering response: the Seattle-headquartered biz would simply and hastily paper over the situation.
The company took the decision to fork and rename Vargo's software, and also relabel the author of the copied software as Chef. For example, references to Vargo as author and maintainer were replaced with "Chef Software, Inc" in the forked Chef-Sugar. Comments posted on Chef's GitHub pages about the forking were also removed.
I give mad props to @sethvargo for yanking his chef-sugar gem because @chef does business with @ICEgov. It's hysterical that @chef is trying to get the genie back in the bottle by forking his repo, closing issues, deleting tweets and comments online. #nothingcanbedeleted pic.twitter.com/jXGjzl60TC— patrick veverka (@veverkap) September 19, 2019
Paradise soon undid the authorship override amid a growing backlash in the DevOps community against the software business. For one thing, the change was not particularly in the spirit of open source, a world Chef is heavily and proudly rooted in.
The decision to lift the code and slap a new name on it, Vargo said, is an indication of just where Chef stands, morally.
"Chef's decision to remain silent on the issue, and their decision to restore an older version of the code, removing me as an author from the metadata," he said, "speaks volumes to their own moral and ethical standards."
Is there a spin doctor in the house?
We asked Chef for its side of the story, and a spokesperson said they would get back to us. While we were waiting on Thursday evening for an explanation, the software house's CEO Barry Crist took to the company blog to do some damage limitation, by publicly airing an email he sent earlier to staff.
In his memo, Crist tried to make the argument that, er, when you think about it, it would be immoral for Chef not to do business with an agency that has been accused of human-rights abuse against families fleeing violence and seeking asylum in the land of opportunity and freedom.
"I want to be clear that this decision is not about contract value — it is about maintaining a consistent and fair business approach in these volatile times," the Chef boss argued.
"I do not believe that it is appropriate, practical, or within our mission to examine specific government projects with the purpose of selecting which US agencies we should or should not do business."
Right out of the chief exec playbook, Crist said his and other employees' personal feelings should take a back seat when there are deals to be had. However, he also admitted "many" of his staff and "many of our community members would prefer we had no business relationship with DHS-ICE [Department of Homeland Security and ICE]."
"And to be clear," he added, "I also find policies such as separating families and detaining children wrong and contrary to the best interests of our country."
But not contrary to the best interests of Chef's balance sheet, eh? ®
Updated to add
"During remediation steps, we inadvertently changed the name of the Author in the gem ‘chef-sugar’ to Chef Software, Inc," said Chef CTO Corey Scobie in a mea culpa on Friday evening.
"This was incorrectly done and a mistake as we had people trying to do multiple things at once to get things working. As soon as we were aware of this mistake, we changed the Author back to the original."