Kik, left-pad, and npm
blog.npmjs.orgClaiming that users would be confused when installing the Kik package is a bit of a bad excuse. Installing a package without knowing what it is or does is simply nonsensical. There's no way of knowing even _how to use_ the package without looking up information about it beforehand. Anyone seriously installing a software package using a developer tool without knowing anything other than the package's name is a fool.
Additionally, the lawyers in question did not seem to want to put a new package online, they simply wanted to take down the existing one. This does not seem to be the intent of the name resolution policy.
This was a bad call on the part of the NPM team, and they should reevaluate how they arbitrate these issues.
Kik (the company) wanted to publish an npm module using their trademarked company name[1]. As has long been npm's policy, they asked the trademark holder and the author to work it out amicably. Azer handled the situation about as gracefully as you'd expect from someone who published a module without checking if the name was clear and rage-quit when that decision bit him, bitching about "corporations" and stranding the countless developers who (eventually) depended on one of his modules.
npm and Kik did most-everything right. The problem was in unpublishing already published tags. Once a tag is published, it shouldn't be able to be unpublished except in the most extenuating circumstances (perhaps a brand-new tag that inadvertently included PII). After a name changes hands, the new owner shouldn't be able to publish a new build in any of the major versions the previous owner tagged. Moreover, wholesale unpublishing modules shouldn't be allowed for the exact reasons this incident demonstrated. Based on npm's response, it sounds like they've learned that.
[1]: https://medium.com/@mproberts/a-discussion-about-the-breakin...
The problem is that KIK (the company) has no registered trademark for this use. If they had, they (or you) could point to the specific registration that the `kik` project infringed upon.
Any talk about trademarks is irrelevant (and npm even claims in this article that it had nothing to do with their decision).
Additionally, the `kik` package now has this description:
'This package name is not currently in use, but was formerly occupied by a popular package. To avoid malicious use, npm is hanging on to the package name, but loosely, and we\'ll probably give it to you if you want it.'
So...why did this happen again?
Because Kik plans to `npm publish kik`, presumably a JS API or something. That is a stock robomessage, though granted, not a very good one under the circumstances.
The first rule of open source is check if the name has any other popular uses (using, at the very least, Google and the USPTO). Whether or not Kik would have sued for trademark infringement is secondary - before publishing, the author should have searched for the name, and when he saw an established product using it, chosen something else.
npm has never been secretive about its name collision policy.
Wait, like to anyone who wants it? I wonder what would happen if Azer asked for it back, heh.
I've done apt-get install node on ubuntu and got a legacy package. Would you go to check if apt-get install firefox really install the browser and do it every single time you install something? It's not totally a bad excuse I think.
Those are applications, that you can use without the documentation. These are libraries, for which you need to read the documentation first, whether official or third-party. They're really not comparable at all.
For a long time the Docker install documentation contained no information that the proper package name in Debian was docker.io. So yes they are comparable.
"Anyone seriously installing a software package using a developer tool without knowing anything other than the package's name is a fool."
That includes the projects that had left-pad as a dependency.
> npm won’t suddenly take your package name.
"...unless we do, in which case we will."
I wonder at the cognitive dissonance that has to be there to type a thing like this when the entire shit show started with you doing exactly what you're saying you won't do.
I'm not completely up to speed on the situation. Do we know that this happened suddenly?
Based on the chats here:
https://medium.com/@mproberts/a-discussion-about-the-breakin...
It does seem that the first contact from NPM to Azer was to tell him they were taking his package. There does seem to be a gap there, so maybe there is more to it.
The author of that post claims those transcripts represent the "complete email thread of [their] exchange", but I also have serious doubts about the accuracy of that claim.
Particularly troubling is the 'first' email from KIK|Bob to NPM:
>OK, so it doesn’t seem to be possible to resolve this amicably. Can you guys help?
>Bob Stratton
>kik Interactive
If this was a cold-email to NPM, we must assume that Bob is relying on NPM to spend time deciphering the chain mail that he had just forwarded to them.
Words like "it" and "this" suggest that their had been prior correspondence between the parties, but maybe Bob just likes to dump chain mails on other parties while using extremely vague pronouns?
Following the Dispute Resolution Policy [1], NPM would have been CCed on the entire chain. This is tl;dr item #2 right at the top:
«2.Email the author, CC support@npmjs.com»
Given other context in the exchange, I would give Bob the benefit of the doubt that he followed Item #2 here and did CC NPM in this discussion.
Additionally Bob is correct that as soon as the F-bomb was thrown it was a clear intent by Azer not to deal amicably with the situation and also a clear violation of the Code of Conduct [2], which is not mentioned in this article because it is directly invoked/linked in by the Dispute Policy, but is also applicable to the actions taken here.
[1] https://www.npmjs.com/policies/disputes [2] https://www.npmjs.com/policies/conduct
Bob clearly started the vulgarities by dropping a D-bomb (and labeling himself and KIK one) in the opening clause of his second email.
KIK|Bob never intended to act amicably and, in fact, admitted as such in cold text.
>We don't mean to be a dick about it, but...
NPM seems to have ignored this blatant violation of their dispute policy and didn't even engage in conversation.
That certainly reads to me as an attempt to be colloquially amicable. Certainly it would have put a better foot forward if he had started with something more like "We are trying to do the right thing and...", but minor self-effacing obscenities are something we Americans tend to use in a colloquial, "buddy buddy" way to suggest that we are aware of the complexities of the situation and empathize with the other person's plight and how they must see us. It certainly read amicably to me, but I can also see why it may not read that way to others, especially with out vocal pattern contextual information, and that it may in fact only add to the confusion of the resulting conversation.
(Thinking about it, I wonder if this is something of an l10n/i18n issue... Oh the wonders of global communications and how it can break down.)
The whole thing reads to me as a cultural misunderstanding. At least, I wouldn't consider the Kik messages to be be anywhere near appropriate language or tone. Given that npm seemed to be fine with it, I guessed that it's not unacceptable to American ears, but my emotional reaction probably would have been along the same lines as the original author.
NPM should not have been fine with it [0]. KIK|Bob's language is in violation of npm's stated Code of Conduct and Dispute Resolution process. If npm actually read KIK|Bob's emails that were sent to Azer, I don't see how they could have allowed that dispute to continue, let alone side with KIK|Bob.
[0] https://medium.com/@blakelapierre/bob-stratton-and-kik-inter...
"npm did not 'steal' Azer's code."
"npm did not respect Azer's code."
"This incident did not arise because of intellectual property law."
"we believe that a substantial number of users who type npm install kik would be confused to receive code unrelated to the messaging app with over 200 million users."
"This incident did arise because of intellectual property policy."
"npm won’t suddenly take your package name."
"... except when we do"
Shady.
Come on npm, no one blindly does "npm install kik" expecting to install a messenger client.
"Open source" doesn't mean the code is free to take over. The blog should have used exact terms on licenses and their TOS.
I like to support people that do things to convey their opinion and protest a decision. Sometimes brazen behavior is warranted to get more attention to your cause. But not in this situation. What Azer did seems like a "knee-jerk reaction" performed mostly out of spite.
Well he is got balls. You were supposed to be on the side of the developer
In other words: npm Inc says they have done nothing wrong and the only problem is the ability to unpublish versions other people depend on. This matches the way npm employees have been responding to the outrage on twitter yesterday.
However there are two causes for outrage here:
1. Azer unpublished a module a large number of projects depended on (mostly indirectly via babel, which itself depended on it indirectly via a line numbers package), breaking everyone's installs.
2. npm Inc handed over the kik package name used by azer for an actively maintained project to kik Interactive who previously tried to strongarm azer with vague legal threats unsuccessfully.
Personally I find #2 far more troubling but if you listen to what npm Inc and its employees have to say it's as if this isn't even worth mentioning.
A representative of kik Interactive asked azer for the package name (after having already published their own package on npm under a different name). Azer said no thank you, so the same person responded with an underhanded threat (but no actual legal claim) -- to which azer understandbly responded unfavourably.
Then the same person contacted npm Inc with wording that strongly implies he isn't looking for mediation but for npm Inc to do what azer refuses to do -- but with no indication that failure to comply would put npm Inc itself at any legal risk (which the statement now acknowledges although npm Inc employees have indicated otherwise before @ag_dubs clarified). And npm Inc just does exactly that.
As far as npm Inc and kik Interactive have been truthful about the exchanges that took place, at no point did npm Inc try to mediate between kik Interactive and azer over the use of the package name or alternate package names and the intended use by kik Interactive.
Npm Inc is behaving like a private company here. That's okay and they've done so in the past and repeatedly made it clear that they are a private company and offer the npm public registry as a free service and the npm client as an open source project.
However what is not okay is that npm Inc wishes to maintain an exclusive monopoly and special status within the node ecosystem by being an upstream dependency for the node project (the npm project existed before the formation of npm Inc as a private company and the npm registry was only transferred to npm Inc after it had already become the blessed module registry for node).
Right now node itself is under the control of the Node Foundation but npm (both the client and the registry) is under the control of npm Inc. The npm client and registry hold a special status within the node project by being shipped alongside node (which has previously resulted in licensing problems when npm Inc made changes to their license without notifying the node project) and being treated as "the" node module registry.
This means a non-trivial part of the node ecosystem -- as advertised and spread by the node project -- is under sole control of a private company. Further, npm employees are members of the Node Foundation and influencing it as such -- including Ashley Williams who was elected as a representative for the Node Foundation members despite an obvious conflict of interest (consciously or not) due to her prominent role at npm Inc.
It's a clusterfuck and I only see two options:
1. npm Inc continues to maintain the registry and client but stops interfering with attempts to replace npm as the authoritative module registry for the node project (leading to the eventual replacement of the registry and client by something under the control of the Node Foundation).
2. npm Inc defers arbitration and governance of the public npm registry to a Node Foundation committee (which they may join through the normal ways but hold no special status in), effectively giving control over policies to the Node Foundation (formalizing their special status without giving them as much power over the node project as they currently have).
Some interesting things to note:
NPM claims intellectual property issues had nothing to do with their dispute resolution.
NPM disregarded Azer's unpublish request by restoring `left-pad@0.0.3` from a backup of Azer's original publishing, not by repackaging the liberally licensed source.
NPM claims the full dispute resolution policy is still in place, yet many of the packages that have been taken over currently have no usable code and/or are being 'squatted' in direct contradiction of that policy.