This week, conversations broke down and in true open-source fashion, it’s all playing out in public.
After I refused them, they reached [out to] NPM’s support emphasizing their lawyer power in every single e-mail CC’ing me. @izs accepted to change the ownership of this module, without my permission. This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People.
So he took his 272 projects off of NPM and over to GitHub.
Turns out one of them, though, innocuously called ‘left-pad,’ is an 11-line padding script used by many thousands of other bits of work, including Node and Babel.
Isaac Schlueter, @izs of NPM, explained what happened next:
We began observing hundreds of failures per minute, as dependent projects — and their dependents, and their dependents… — all failed when requesting the now-unpublished package.
Koçulu apologizes in his post and offers a number of solutions for people reliant on his open-source work, but NPM says they were simply working through a standard conflict resolution process that regularly comes up with naming packages.
Given two packages vying for the name kik, we believe that a substantial number of users who type npm install kik would be confused to receive code unrelated to the messaging app with over 200 million users. Transferring ownership of a package’s name doesn’t remove current versions of the package. Dependents can still retrieve and install it. Nothing breaks.
Had Azer taken no action, Kik would have published a new version of kik and everyone depending upon Azer’s package could have continued to find it. It was abrupt unpublishing, not our resolution policy, that led to yesterday’s disruptions.
Within minutes, other members of the community had stepped in to offer fixes, although the sheer volume of projects reliant on the original made it incredibly tricky. Many would not recognize the same package if it was using a different numerical extension, for example.
So NPM republished the original. And the community’s a little divided on who’s in the right.
Then, like a wonderful soap opera, the “corporate dicks” weighed in, with head of messenger at Kik, Mike Roberts, taking the drastic step of setting up a Medium account in order to explain his company’s role in “breaking the internet.”
That includes publishing the entire email exchanged with Koçulu.
Ironically, the way Roberts says he found out about the problem was not because of the ongoing dispute about the name, but because Kik was reliant on Koçulu’s work too.
Sorry, I’m building an open source project with that name.
Bob Stratton from Kik:
We don’t mean to be a dick about it, but it’s a registered Trademark in most countries around the world and if you actually release an open source project called kik, our trademark lawyers are going to be banging on your door and taking down your accounts and stuff like that — and we’d have no choice but to do all that because you have to enforce trademarks or you lose them.
Can we not come to some sort of a compromise to get you to change the name without involving lawyers? Is there something we could do for you in compensation to get you to change the name?
The discussion doesn’t go far, so Stratton goes to tell NPM and it all gets a bit out of hand.
Sure, Koçulu could have just given up the name, but he’s working on stuff that clearly helps an awful lot of other people everyday, just for the hell of it. Kik is not.
But the clear vulnerability of an internet that’s set up like a load of dominos – reliant on a web that leads to one person’s open-source project – should be of real concern to corporates, or anyone else, who relies on the resilience of the Web.