Pocket reposted an older QZ article about Leftpad and it’s sort of reignited the controversy, at least for me.

Here’s the link.

I’d love to hear what you think of this, but here are my thoughts:

One, why is this not in the JS standard library? It’s a super commomly used method with equivalents in every programming language, right? JS is pretty notorious for being bloated (which isn’t necessarily a bad thing IMO), but the fact that it lacks this basic function is kind of ridiculous?

Two, people were calling him out as the villain for having the audacity to delete a method he knows powers most of the internet, and to those people I ask: Have you even looked into why that happened? The most common story was just that he was butthurt because “NPM didn’t treat him like royalty like he wanted”, but, what actually happened was Kik, yes, the messaging platform notorious for being infested with child groomers, that Kik, wanted to publish their own library (I think it was an API for their app), and Koçulu already had a library called kik. So what does Kik? They go to fucking NPM and essentially allege trademark violation (which is bullshit because Koçulu’s kik was not a commercial product, and trademarks only apply to names used in commerce). But NPM still removes Koçulu’s kik package, at which point Koçulu removed all his libraries and deletes his account in protest, and the rest is history. Long story short, it ends with NPM restoring his packages against his wishes, and as far as I know he never released anything on NPM again.

So, generally I see two hiveminds when it comes to this controversy. One is of course people mocking Koçulu for being a snowflake or whatever, that he needs to control his anger and not withdraw his packages because he didn’t get his way. Obviously, I disagree with that. I think Kik was being a snowflake for throwing a hissy fit that their name was already taken for something completely unrelated, by someone who almost certainly did not even use their app. They could have named their library kik-chat, kik-app, kik.com, whatever, and it still would have been the same library and people still would still have discovered it. Needless to say, I don’t think he was in the wrong at any point of this.

The other hivemind was really mad at NPM, which is a step in the right direction, but they were mad that they restored his package. That makes no sense either, because one of the pillars of open source is that anyone can publish or distribute it as long as they distribute it with the original license and give credit. NPM is an asshole, but they still have the right to distribute an open source library. What we should be mad at NPM for is that they threw him under the bus by removing his package in the first place. Again, Kik has no legs to stand on and NPM was never in any legal trouble because of this, trademarks do not apply to non-commercial products. They’re called trade marks. Trade. As in commerce. Also, it really highlights their priorities that they hold a corporation infamous for enabling children to be victimized in higher regard than someone making code used by the entire internet and not getting paid for it. I also don’t see enough people being mad at Kik. What they did was absolutely unacceptable and they should have faced the brunt of the hate. Then again they’ve already shown themselves to be horrible so they probably would have shrugged it off or maybe even played into it for publicity.

What can the open source world learn from this? Well, for one, I think it has become clear that having your open source dependencies managed by a for-profit company is bad. I wouldn’t be surprised if Kik paid NPM a ton of money and essentially “bought” the kik name like a fucking NFT. The solution would be a combination of package repositories managed by worker co-op nonprofits with transparent financial reports, and decentralized/independent package sources hosted by the authors themselves. If JS took inspiration from Java just a bit more and also made their dependency naming system work by domains, we would have gotten com.koculu.kik and com.kik.kik, and no conflict. Almost like a federated package manager. Especially now that NPM is owned by Microsoft and Yarn was always owned by Facebook, we really do not have a good, trustworthy JS dependency repo, which is a problem because like the language or hate it, it is still extremely important for our modern computing environment. I think it’s long overdue to break their duopoly.

IDK, that’s the end of my rant. Didn’t really mean to write a wall of text, just saw this article and got me wanting a retrospective, but yeah. What do you think? Do you agree? Disagree? Why or why not?

  • communistcapy@lemmygrad.ml
    link
    fedilink
    English
    arrow-up
    5
    ·
    2 years ago

    Pretty bogus move by npm and a sad story for the dev to have felt betrayed by people whom he trusted, and felt forced to burn so many bridges. It is a decent point in favor of being careful which communities you invest in.

    A point of clarification, yarn is not owned by Facebook; it was created in part by Facebook but is actually licensed under BSD-2 and copyright attributed to “Yarn Contributors.”

    I think the important thing here is probably to have access to a community managed package registry. It appears in 2019 someone started working on one at open-registry.dev but looking at the github page it seems abandoned.