Pocket reposted an older QZ article about Leftpad and it’s sort of reignited the controversy, at least for me.

Here’s the link.

I’d love to hear what you think of this, but here are my thoughts:

One, why is this not in the JS standard library? It’s a super commomly used method with equivalents in every programming language, right? JS is pretty notorious for being bloated (which isn’t necessarily a bad thing IMO), but the fact that it lacks this basic function is kind of ridiculous?

Two, people were calling him out as the villain for having the audacity to delete a method he knows powers most of the internet, and to those people I ask: Have you even looked into why that happened? The most common story was just that he was butthurt because “NPM didn’t treat him like royalty like he wanted”, but, what actually happened was Kik, yes, the messaging platform notorious for being infested with child groomers, that Kik, wanted to publish their own library (I think it was an API for their app), and Koçulu already had a library called kik. So what does Kik? They go to fucking NPM and essentially allege trademark violation (which is bullshit because Koçulu’s kik was not a commercial product, and trademarks only apply to names used in commerce). But NPM still removes Koçulu’s kik package, at which point Koçulu removed all his libraries and deletes his account in protest, and the rest is history. Long story short, it ends with NPM restoring his packages against his wishes, and as far as I know he never released anything on NPM again.

So, generally I see two hiveminds when it comes to this controversy. One is of course people mocking Koçulu for being a snowflake or whatever, that he needs to control his anger and not withdraw his packages because he didn’t get his way. Obviously, I disagree with that. I think Kik was being a snowflake for throwing a hissy fit that their name was already taken for something completely unrelated, by someone who almost certainly did not even use their app. They could have named their library kik-chat, kik-app, kik.com, whatever, and it still would have been the same library and people still would still have discovered it. Needless to say, I don’t think he was in the wrong at any point of this.

The other hivemind was really mad at NPM, which is a step in the right direction, but they were mad that they restored his package. That makes no sense either, because one of the pillars of open source is that anyone can publish or distribute it as long as they distribute it with the original license and give credit. NPM is an asshole, but they still have the right to distribute an open source library. What we should be mad at NPM for is that they threw him under the bus by removing his package in the first place. Again, Kik has no legs to stand on and NPM was never in any legal trouble because of this, trademarks do not apply to non-commercial products. They’re called trade marks. Trade. As in commerce. Also, it really highlights their priorities that they hold a corporation infamous for enabling children to be victimized in higher regard than someone making code used by the entire internet and not getting paid for it. I also don’t see enough people being mad at Kik. What they did was absolutely unacceptable and they should have faced the brunt of the hate. Then again they’ve already shown themselves to be horrible so they probably would have shrugged it off or maybe even played into it for publicity.

What can the open source world learn from this? Well, for one, I think it has become clear that having your open source dependencies managed by a for-profit company is bad. I wouldn’t be surprised if Kik paid NPM a ton of money and essentially “bought” the kik name like a fucking NFT. The solution would be a combination of package repositories managed by worker co-op nonprofits with transparent financial reports, and decentralized/independent package sources hosted by the authors themselves. If JS took inspiration from Java just a bit more and also made their dependency naming system work by domains, we would have gotten com.koculu.kik and com.kik.kik, and no conflict. Almost like a federated package manager. Especially now that NPM is owned by Microsoft and Yarn was always owned by Facebook, we really do not have a good, trustworthy JS dependency repo, which is a problem because like the language or hate it, it is still extremely important for our modern computing environment. I think it’s long overdue to break their duopoly.

IDK, that’s the end of my rant. Didn’t really mean to write a wall of text, just saw this article and got me wanting a retrospective, but yeah. What do you think? Do you agree? Disagree? Why or why not?

  • communistcapy@lemmygrad.ml
    link
    fedilink
    English
    arrow-up
    6
    ·
    2 years ago

    Pretty bogus move by npm and a sad story for the dev to have felt betrayed by people whom he trusted, and felt forced to burn so many bridges. It is a decent point in favor of being careful which communities you invest in.

    A point of clarification, yarn is not owned by Facebook; it was created in part by Facebook but is actually licensed under BSD-2 and copyright attributed to “Yarn Contributors.”

    I think the important thing here is probably to have access to a community managed package registry. It appears in 2019 someone started working on one at open-registry.dev but looking at the github page it seems abandoned.

  • Arthur Besse@lemmy.ml
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    2 years ago

    I agree with most of your conclusions here, but, you’re mistaken about trademarks. They actually can be (and often are) applied in non-commercial contexts. See, for example, the Mozilla Trademark Guidelines which say:

    The open source nature of Firefox and other Mozilla software allows you to freely download and modify the source code. However, if you make any changes to Firefox or other Mozilla software, you may not redistribute that product using any Mozilla trademark without Mozilla’s prior written consent and, typically, a distribution agreement with Mozilla. For example, you may not distribute a modified form of Firefox and continue to call it Firefox.

    See also wikipedia’s article about trademark, and also Wikimedia’s own trademark policy.

  • 🏳️‍⚧️ Elara ☭@lemmygrad.ml
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    2 years ago

    In my opinion, NPM is mostly at fault for this. The developer of leftpad was fully justified in removing all their packages from NPM, I would’ve done the same if they’d sided with corporate lawyers whose argument doesn’t even make sense (why would anyone coming across “Kik” reasonably expect it to be their project when their project doesn’t even exist yet?). I might’ve started with a notice for maybe a month or so, and then removed it.

    As for how this could be avoided, I like the way Go handles packages. Packages are imported using their URL. For example, if you wanted to import my logging library, you’d use go.elara.ws/logger, which redirects to https://gitea.elara.ws/Elara6331/logger using a meta tag in the <head>. This way, you’d be able to use something like kik.com/kik as the package name, while the old one would be something like github.com/koculu/kik, and there would be no conflict. Go also locks versions by default (and makes it impractical not to), it uses checksums to make sure code hasn’t been altered, and it uses a package cache, so even if the package was replaced with completely different code or disappeared entirely, no one would be affected. This also avoids requiring any centralized registry at all.