
NPM Bans Terminal Ads - slovenlyrobot
https://www.zdnet.com/article/npm-bans-terminal-ads/
======
cj
While I don't particularly like the idea of stuffing ads into npm logs, I
don't have the same visceral negative reaction that many people have in these
HN threads on this topic.

The overwhelming majority of the people complaining about this are well-paid
tech workers writing code for well-funded companies that profit off of open
source code without providing any reciprocal value to the open source projects
in return. (Of course, that statement isn't true for 100% of companies, but
I'd guess that less than 10% of companies using open source code donate back
to the open source projects they use)

Something about this whole debate makes me a bit uneasy.

You have people working mostly for free, developing open-source, FREE code
that provides incredible value to the for-profit companies that use the open
source code to generate (sometimes) massive amounts of revenue.

Given the amount of value open source provides to for-profit companies (with
the open source maintainers rarely getting any reciprocal value from the
companies that profit off them), why is it so alarming to think that these
maintainers might think of a clever idea like this to make a couple thousand
bucks?

I'm not arguing that npm install logs should be packed full of ads (it
shouldn't).

But instead of attacking the guy for trying, I really wish the discussion were
focussed on how the community of open-source consumers can contribute back to
the open source ecosystem in a way that promotes the sustainability of the
projects and community.

~~~
jasode
_> , why is it so alarming to think that these maintainers might think of a
clever idea like this to make a couple thousand bucks? [...] But instead of
attacking the guy for trying, I really wish the discussion were focussed on
how the community of open-source consumers can contribute back to the open
source ecosystem_

You're (possibly unintentionally) distorting/diverting the issue. Nobody is
criticizing open source maintainers for trying to get funding in an _abstract
sense_. (We can all agree open source maintainers need income.) However, if
the _concrete implementation_ of trying to get money is _unwanted and
unexpected ads_ , then the _correct focus of discussion is the criticism of
that ad delivery method_. The succinct version of this is: _" The ends do
_not_ justify the means."_

As hypothetical examples...

\- If Pi-Hole maintainers get the "clever" idea to get funding by changing
"doubleclick.net" from returning "127.0.0.1" to the ip address for
"BuyPiholeTShirts.com", people are going to criticize that "ad". It doesn't
matter if Pi-Hole volunteers "deserve" more money, the correct focus of
criticism/discussion is the sneaky ip redirect.

\- If the maintainer of d3 Javascript library
([https://github.com/d3/d3](https://github.com/d3/d3)) decides to embed
advertising such as _" Try LINODE for 30 days!"_ in "README.md" and inside the
source code comments of every js file, the _correct focus of discussion is
those ads and not whether the maintainer needs money_.

The _methods_ of soliciting funds do matter.

So far, socially acceptable ways seem to be Patreon, or getting hired by
FAANG, or grants, etc. The "clever ideas" like NPM console ads are not
socially acceptable.

~~~
tempguy9999
This is an unfair go at the poster. He said "I'm not arguing that npm install
logs should be packed full of ads (it shouldn't)."

That's clear as can be. He's asking the same question I am, how do we get
sufficient funding for these projects. Re your patreon suggestion, I thought
we recently had an article where someone got little to nothing on that.

> or getting hired by FAANG

So one way to support foss software is to get hired by a closed source
company. Kind of defeats your point.

This is the problem right here, "I want but I'm not personally going to pay".
We get ads (funding model of the modern web) or foss remains underfunded while
non-foss companies get the cash they need. The problem is human nature. And
yes, I've personally opened my wallet for them, and will again.

~~~
heyoni
Since when are FAANG companies considered to be closed source? Have any of
them snatched up maintainers to continue development behind closed doors?

There are examples of large corporations hiring maintainers to work on open
source and keep those projects open source. I believe pypi is an example of
that.

~~~
saagarjha
I am fairly certain that Apple has hired people who previously worked on
permissively-licensed projects to work on the closed-source fork.

~~~
chipotle_coyote
I'd like to see that backed up, really. There are certainly criticisms to be
made of how Apple has handled their open source projects (slow to update and
push out new releases, not great at cooperating with upstream projects when
Apple has forked them, typically cryptic Apple communication practices). But
if Apple has taken open source projects, created closed-source forks of them,
_and_ hired original developers of and/or major contributors to the original
open source project to maintain and develop the closed source fork without
contributing back to the open source original, none of them immediately come
to mind.

~~~
rvp-x
I got direct quotes from Apple employees about how their employment has banned
them from doing anything related to GPLv3 code in their free time,
specifically GCC.

I don't want to mention them in a public website in case that gets them in
trouble.

~~~
chipotle_coyote
That doesn't surprise me. The GPL, especially v3 and AGPL, are specific weird
cases at a lot of companies -- sometimes because they want the freedom to
close of forks, but often because they're convinced the GPL/AGPL could
"poison" their work and force them to open previously closed source. (This
turned out to be a problem for us at RethinkDB, which was AGPL-licensed.)

------
nothrabannosir
I know this is a controversial opinion and I know it won’t directly solve the
issue at hand, but it’s related and it addresses some of the concerns raised
by many people in this thread: how do we get open source the funding it needs?

Consider a world where the norm is not MIT/BSD but GPL dual licensed with MIT
for a fee. This would give back control to maintainers of a library, and it
would allow people without funds to use the software freely by contributing
back to the community any changes they wish to further publish.

It puts the incentives in the right place, which is very important for a
scalable, sustainable solution and to avoid tragedy of the commons!

It’s controversial because licensing has become a tribal issue, frustrating
level headed debate. But I would argue that many people choose MIT without
really thinking it through, “because it’s how everyone else does it”. You can
see this in complaints from maintainers of code released under MIT, abuse
which would never have been possible with the GPL.

I really think there is value in evaluating the community’s obsession with
MIT, before we jump to pointing fingers at “companies”. Remember: if you get
burned by the tragedy of the commons, ask yourself why did we set ourselves up
to fail? It’s the hardest possible fight to win.

Again I’m not trying to derail this into MIT v GPL, I’m just saying: IF we all
choose MIT, can we really complain now? This is what happens: people profit
off your work and don’t contribute. If you feel so frustrated by that that
you’re adding ads to your lib, maybe MIT wasn’t the right choice?

(MIT has merit and there are people out there using it for the right reasons.
But they’re not the ones putting ads in their repos.)

~~~
NobodyNada
> Consider a world where the norm is not MIT/BSD but GPL dual licensed with
> MIT for a fee

Note that the MIT license allows redistribution: anyone who bought a single
MIT license could legally distribute MIT-licensed copies without continuing to
pay the original author for additional licenses.

~~~
rohansingh
I'm not sure that would actually be that big of an issue.

Let's say you have some sort of model where a monthly subscription gives you
an MIT license for all commits made that month. Who is actually going to go to
the trouble of mirroring every commit or release from upstream to their own
public repository? If somebody actually did that gratuitously, the copyright
owner could just decline to renew their subscription the following month.

I'm sure there's some issues with this that I'm not thinking of, but I think
generally if somebody is willing to pay you for a license, they're not going
to be a jerk and try to undermine your business.

~~~
_frkl
I agree with the parent post, and the sibling. MIT doesn't make much sense in
your scenario. Dual-licensing is usually a copy left license, and some sort of
private/commercial license agreement to protect against the case the parent
comment mentions.

The people who want to support you are not the problem. They'd probably donate
too if they would buy a license in this thought experiment. The people who
don't want to support you are. One of them could buy a license, relicense as
MIT. And either they'd get updates with their paid license, in which case
they'd just release those as MIT too, or wait for your next stable version and
buy again and so on. Or they would just fork the project, and start their own
business around it, without having had any more cost than a single license....

------
jancsika
It's inspiring how quickly ad tech devs can band together to completely remove
all ads from their ad tech development environment.

~~~
chipperyman573
I've had a theory for a while now that the only reason devs are so ok with
working on ads is because they never see any (with pihole/ublock/hosts/etc...)
and they don't know how creepy they are. On the rare occasion I have to turn
off my adblocker I'm almost always amazed by how well the ads are tracking me
- and that's while I'm actively trying to prevent it from tracking me!

~~~
hombre_fatal
On the other hand, I'm sure it simply pays nice.

------
huntaub
The rationale from the author of the package who adding advertising is
enlightening and definitely worth reading.

[https://feross.org/funding-experiment-recap/](https://feross.org/funding-
experiment-recap/)

~~~
prepend
I don’t agree with his problem statement that OSS developers need payment.

I think that paying people for valuable work is a good thing. But I don’t
think there is a problem with this as evidenced by 50 years of great OSS
software written by professional and amateur developers.

Saying I spent 4000 hours on a project without pay is not enough info to be
useful to determine that I need payment. I volunteer time to lots of
charities, I don’t then say I need payment for this time. I also spent
countless hours on hobbies, this doesn’t entitle me to payment.

If I put an annoying ad into people’s consciousness because I spend 3000/year
organizing my magic cards, that’s not really relevant to most people.

~~~
cj
That reasoning makes sense at first.

Until you consider the fact that critical infrastructure depends on
underfunded open source projects that sometimes have trouble staying afloat.

NTP is the classic example of the problem.

[https://www.infoworld.com/article/3144546/time-is-running-
ou...](https://www.infoworld.com/article/3144546/time-is-running-out-for-
ntp.html)

[http://www.ntp.org/](http://www.ntp.org/)

~~~
Nasrudith
If they depend upon it then there are two obvious solutions - provide it doing
the work themselves or fund it.

~~~
Avamander
Unfortunately people pick the third option that is dissing the developer who
has made that piece of code for trying to get funding for the work.

~~~
Nasrudith
That is just a ruder version of the null option "doing nothing, leaving it
unreliable and suffering the consequences".

------
Zelphyr
There is a lot of concern in this thread about open source projects needing
funding and they're not wrong. There are a lot of projects that are
underfunded--most of them, in fact.

However, it's not like the developers of and contributors to these projects
naively go in thinking they're going to get paid anything. They graciously
choose to make the fruits of their efforts freely available regardless of
compensation. And, yes, there are companies making money off of that
generosity.

My point is; nobody is in the wrong here. Both parties have entered into this
agreement willingly.

Injecting ads like this is wrong because the developers are reneging on that
agreement. It's as if the developers are saying, "You know what? I changed my
mind and I want some money for this because companies are making money off of
it now." What's worse is they aren't even charging the companies directly.

I'm all for a discussion around how to help generate funding for FOSS projects
but have we not learned from Google, Facebook, and others how wrong a path
advertising can be? At what point are the advertisers going to want
demographic information and the module developers start requiring you provide
that information at 'npm install'?

~~~
hippich
I totally agree about open source devs doing it voluntarily. But I disagree
they have no right to stuff terminal full of ads. It is their code - they can
do whatever. Ever change their mind and license from there and into the
future. Just like npmjs.org is completely in their own rights can ban such
projects from enjoying benefits of the package distribution platform.

In fact, if the project was important enough, and maintainer was stubborn
enough, I am sure devs community using that code would rant, but end up using
it anyway, with or without npmjs.org

------
mikl
It’s a slippery slope. The first packages with ads just printed a single line
of text. Then others started adding more lines, more aggressive colors, and
now you have npm ads painting a half a screenful of empty lines with their ad
in the middle. Once can imagine an arms race of ever worse ads.

And considering that it’s not unusual to be installing _hundreds_ of npm
packages for a single project, the ads would soon render the logging output
unusable, giving rise to an arms race between npm ads and npm ad-blockers.

So npm basically had to nip this in the bud, before it makes the ecosystem
unusable through the tragedy of the commons.

~~~
bipolar_lisper
they didn't limit ads. they banned them altogether. it's a charitable thought,
but doesn't hold up.

~~~
mikl
That was the correct thing to do. Considering how many npm packages the
average project consumes, having even a single line of advertising for each
would make npm a pain in the ass to use, and people would be looking for ways
to block the ads.

~~~
gerogerke
Clearly, you didn't read the article from the original author. Ads were
deduplicated, so only a single ad was shown, even if 500 deps used the funding
dependency.

~~~
mikl
That’s a big _if_. Until now, each package with ads have rolled their own, and
since there’s probably more money to be had that way, there’s no reason that
would not continue.

------
antome
Key part of the article: " According to these upcoming updates, npm will ban:

Packages that display ads at runtime, on installation, or at other stages of
the software development lifecycle, such as via npm scripts.

Packages with code that can be used to display ads are fine. Packages that
themselves display ads are not.

Packages that themselves function primarily as ads, with only placeholder or
negligible code, data, and other technical content. "

I wonder where they will draw the line with the last point.

------
slovenlyrobot
Far, far more harm is caused by a package repository electing itself as a
censor than could ever be caused by a few additional chunks of ASCII turning
up in a 4MB Travis CI log. Free software is supposed to be about freedoms, not
having those freedoms dictated to me regarding what kind of software I can or
cannot create.

There are limits to explore in this area, for example, I doubt anyone would
disagree with censoring obvious malware. But for the rest? It is deeply
political, and politicizing the distribution of free software is frankly
repugnant. This puts me off spending much time with the JS ecosystem (not that
I would have already), and worried about it setting precedents for ecosystems
I actually do care about.

A glorified FTP server should never be telling you what kind of software you
can write or how you package it. In this scenario, the glorified FTP server is
no longer fit for purpose, and if such changes have community support, in my
eyes that community is no longer a free software community.

~~~
reallydude
Seems like an opportunity to compete in a market. It's just a matter of time
now before npm has competition.

------
_greim_
NPM's move to ban the practice is unsurprising. Consider however that NPM has
no qualms about showing various nag screens of their own, such as "a new
version of NPM is available," etc. Perhaps they should consider taking
leadership in the OSS funding space. "Hey, it looks like you're enjoying these
packages x, y, and z! Click here to donate to your favorite OSS projects." Or
something.

~~~
jraph
A software update notice cannot be considered as an ad, can it?

~~~
NullPrefix
If the new version bundles crapware...

~~~
beart
Do new versions of npm bundle 'crapware'?

~~~
chipperyman573
They do not, I think GP was saying it would be an ad if they did

------
ipoopatwork
What's this "standard" package anyway? Looks like it's packing eslint with an
.estlintrc and... that's it?

~~~
Hamuko
It's apparently an ESLint wrapper that's worth $2000 in console ad revenue.

~~~
jonnyscholes
I've seen this comment and reserved comment a few times but here we go...

Sure, Standard on the face of it seems simple technologically, and compared to
many other things it is. But it's value lies in completely removing long
winded and often unnecessary conversations within teams about code style.

Standard represents a standard style of writing JS that has gained widespread
support (similar to Airbnb's linter config). It's value is that a team can
adopt broadly sane conventions then never think about it again - which leaves
those dev cycles for shipping features. Without widespread use, Standard would
be just another linter config - but large parts of the JS ecosystem
(regardless of what people think of JS) have adopted it and as a result it has
saved the world a million conversations that "didn't need to happen".

If you care enough about style to not pick their choices, you're free not to
use it. But for a lot of us we just want a broadly accepted opinion so we can
focus on features.

And as it turns out, maintaining a style guide for how to write JS for the
masses takes quite a lot of work. Not writing code necessarily, but
considering and replying to all the feedback on that style.

Not for or against the funding project - but within the JS ecosystem Standard
has meant many hundreds of hours that might have been spent biked shedding,
have been spent shipping features.

Standard has been genuinely useful to myself and pretty much every other JS
developer I know. And whilst I'm in no position to speak to weather I'm junior
or not I know a lot of the most experienced programmers in the JS ecosystem
reach for Standard so they can focus on more important matters.

It's not JS that has such opinions enshrined in law, Python for example has
pep8.

~~~
mrosett
"Just a configuration file" is an odd thing to say. People spend a lot of time
thinking about configuration! A coherent option set that makes sense in a
range of use cases is actually really valuable.

------
ydnaclementine
I know it's not a npm package, but would the donation message for kids in
Uganda when you started vim be considered no bueno with these rules? I guess
it's not an ad technically

~~~
latortuga
Same deal for Sidekiq, a very popular job worker library in the Ruby world. On
startup, if you don't have a commercial license, it advertises the
availability of one:

    
    
        Upgrade to Sidekiq Pro for more features and support: http://sidekiq.org
    

I personally have no problem with this and I think the npm ruling is a bit too
restrictive.

------
chaostheory
I’m hoping that with GitHub getting into the donation game, things will get a
little better for funding open source.

This is just the symptom.

It’s really difficult to convince people to part with just $100 a year to fund
something critical to our org. I do fund some projects, but there are plenty
of others that I use regularly that I don’t fund monthly

~~~
lacker
The problem is that the $100 usually isn’t funding something critical to your
org. If you are getting some key feature in return for your money most
organizations will be happy to pay, a lot more than $100 really. But giving
someone $100 for a product whose stated price is $0 doesn’t make as much
sense.

~~~
chaostheory
> If you are getting some key feature in return for your money most
> organizations will be happy to pay, a lot more than $100 really.

I don't feel this is true. How many major organizations donate or sponsor
django, vue, or another major framework that's a key part of their business?

~~~
lacker
They aren't getting Django or Vue in return for their money. They get Django
and Vue for free. If there's an additional feature that doesn't exist and they
need someone to develop it, they are typically willing to pay for that
feature.

------
Nasrudith
Really ads in a terminal is a needless attack vector that is a dumpster fire
for security that is part of the reason /why/ they have so many detractors.

~~~
ryanlol
This makes no sense at all.

~~~
reallydude
If the ad makes a remote call during execution (for an dynamic ad serve), it's
an attack vector. There is always custom ad code for analytics that adserves
use to fill (the ad placement space) and report back, called an admanager. As
an advertiser, you can upload your own admanager (that that has your own
custom code.

Reading the code of the NPM package will not typically help with understanding
what it's going to do, because of the ad ecosystem, which guarantees running
code you have never seen.

I could understand banning dynamic ad injection and telemetry. My ethical line
would be if a package manager were to ban static links/symbols displayed in a
README and that's not what NPM aims for, so it's fine by me.

~~~
ryanlol
>If the ad makes a remote call during execution (for an dynamic ad serve),
it's an attack vector. There is always custom ad code for analytics that
adserves use to fill (the ad placement space) and report back, called an
admanager. As an advertiser, you can upload your own admanager (that that has
your own custom code

Can you point out a real example of terminal advertising like this?

~~~
reallydude
No. I haven't looked through many js packages.

I could make it without any effort via:

>
> [https://github.com/feross/funding/blob/master/messages.json](https://github.com/feross/funding/blob/master/messages.json)

Currently it's "manually curated" which is a fancy way of saying, it's my own
custom ad-tag that doesn't call an adserver. Replacing one field with a
function that is immediately called and getting your value out, is how most
people would integrate an ad-tag.

Using DFP or whatever, you can plug in an adtag call and parse values and
you're in business. Ad platforms don't usually support plaintext tags, but I
have seen them still supported by some of the older "native ad" platforms who
started as platforms that served HTML strings (Taboola, etc).

The takeaway is that NPM nipped it in the bud because it's trivial to abuse.

~~~
ryanlol
So you’re talking about software which doesn’t exist, right?

This seems like a silly slippery slope argument.

~~~
reallydude
> So you’re talking about software which doesn’t exist, right?

It exists on my computer right now (didn't use an actual admanager, just coded
a remote call). You want to believe the gun pointed at the door with a string
on the trigger and doorknob is not a danger because you don't want to open the
door. Good luck with whatever.

------
tempguy9999
OK and quite right, but how do we actually ensure funding for the stuff that
needs it?

It seems odd to me that people won't cough up even small amounts to support
what F/OSS they rely on, but will pay for closed source stuff.

~~~
Hamuko
How many people actually rely on standard? I'm not talking about downloads,
I'm talking about active users.

~~~
tempguy9999
I am being thick; what's the relevance of that?

~~~
Hamuko
Well, if we are talking about funding FOSS projects that people rely on, we
should first establish what projects people rely on. When installing a package
is so easy that you do it a hundred times without even knowing it, the
download numbers don't really convey that information. It's more of an
indicator of dependency penetration.

------
beefhash
See also: GNU parallel showing a nag for being cited in papers.

[https://git.savannah.gnu.org/cgit/parallel.git/tree/src/para...](https://git.savannah.gnu.org/cgit/parallel.git/tree/src/parallel?id=c0e63fb81c15dc2905f4f0a1e06e0aa19ea2fe25#n4807)

~~~
djsumdog
huh .. that's interesting. I wonder what RMS's take on that is. I know he
worked on a project at one time that would let readers buy articles
anonymously. I don't think it got anywhere though.

~~~
pritambaral
> I wonder what RMS's take on that is.

From
[https://www.gnu.org/software/parallel/parallel_design.html#C...](https://www.gnu.org/software/parallel/parallel_design.html#Citation-
notice):

> As the request for citation is not a legal requirement this is acceptable
> under GPLv3 and cleared with Richard M. Stallman himself. Thus it does not
> fall under this: [https://www.gnu.org/licenses/gpl-
> faq.en.html#RequireCitation](https://www.gnu.org/licenses/gpl-
> faq.en.html#RequireCitation)

------
vfc1
I don't like terminal ads either, but I wouldn't mind them if they meant that
the creators of popular libraries can keep maintaining their work without
giving up their personal lives.

Monetization is still a huge taboo in the open-source community and is badly
viewed by many of it's biggest beneficiaries, developers who make their entire
living out of skills that consist of knowing how to use these open source and
free technologies.

Shouldn't the creators of these libraries that bring so much value not be able
to make a decent living maintaining them, instead of working for some company
maintaining a silly CRUD application during the best hours of their day, while
their side project which is much more valuable to the world only gets the odd
final hours of the day, at the expense of their family?

If more open source maintainers could make a living doing directly open
source, this would mean better quality libraries, better documented, and more
overall libraries that solve more common problems.

People would be able to contribute to open-source well into the end of their
careers, and not stop due to family life imcompatiblity.

If terminal ads would the price to pay for that, I would not mind at all
having them.

~~~
frenchyatwork
> Monetization is still a huge taboo in the open-source community

That's not true. Qt has managed to monetize fine, and it's no pariah. This is
100% about the way in which people are hijacking tools to promote monetization
of their code.

~~~
vfc1
Interesting, I was going through their landing pages and it's a bit
overwhelming. It looks like a cross-platform development framework based on
C++, but what is their business model?

Consulting, extra features, Saas, is it partially closed source, could you
tell us how they did it?

------
lootsauce
I see the following when I run npm install on a Create React App. Are these
things now verboten as well? Personally It feels a bit yucky to start making
package install logs into a kind of bulletin board system so yeah maybe
dialing it back a bit is a good idea.

Thank you for using core-js ( [https://github.com/zloirock/core-
js](https://github.com/zloirock/core-js) ) for polyfilling JavaScript standard
library!

The project needs your help! Please consider supporting of core-js on Open
Collective or Patreon: > [https://opencollective.com/core-
js](https://opencollective.com/core-js) >
[https://www.patreon.com/zloirock](https://www.patreon.com/zloirock)

Also, the author of core-js (
[https://github.com/zloirock](https://github.com/zloirock) ) is looking for a
good job -)

~~~
CSSer
You know, it’s funny, this exact ad is the first thing that came to mind when
I read the headline. It’s a very popular package. I wonder if it was part of
the decision.

------
kylek
Hopefully someone at Canonical takes a hint for Ubuntu’s default motd.

~~~
feross
For context: [https://motd.ubuntu.com](https://motd.ubuntu.com)

------
swiley
Most of us use vim. That’s ad supported and I think most us can agree it’s not
awful.

It’s certainly possible to do ads well (maybe even more common in terminal
software.) I personally don’t have any experience with ads in NPM though.

~~~
rrss
Vim isn't ad-supported. Vim has one messsage that you might consider an ad,
and the money doesn't support vim's development, it goes to charity. I think
it also used to be possible to donate to vim directly to support the
development, but I think that money goes to charity now too.

(I personally don't think "help poor children in Uganda by donating" is an
ad).

~~~
0xffff2
Where exactly is this message? I use Vim fairly often and I've never seen
it...

~~~
JonathanMerklin
:help license

I think in earlier vim versions, you could see a message if you opened vim
without a file (vim -u NONE # to prevent .vimrc from doing whatever
shenanigans you've set up)

~~~
0xffff2
Huh. My .vimrc is pretty simple and definitely doesn't include a "don't show
donation messages" line, but I do see the message on the front screen when I
do `vim -u NONE`. It's not there when I execute `vim`.

------
jrpt
I've been thinking about this for some time and have decided open source and
funding for sustainability are fundamentally incompatible. Like another
commenter said, few companies are donating of their own free will, but they
are willing to buy a license. So the solution is to sell licenses.

But at that point, it is no longer open source. The world needs something in
between totally free open source, and private closed source. I'm calling that
in between model Super Source: [https://supso.org/](https://supso.org/)

Think about it: what do the customers (primarily companies) like about open
source? Primarily, that there's decent code already written that they can
easily find and use. And that they can view the code, integrate it with their
software, and perhaps make small modifications if needed, or offer drive-by
pull requests. And sure, they like that it's free, but most companies would be
willing to pay a small fee for licensing if they had to.

Projects that use Super Source have their code online, viewable, downloadable,
and usually free for individuals. But for companies, they require a small
licensing fee in order to use the software. So it's no longer technically open
source, but still has a lot of the benefits.

This isn't just theoretical. Hundreds if not thousands of companies have
signed up with Super Source.

Get in touch if you're interested in how it can work with your project.

~~~
CSSer
What prevents me from masquerading as an individual when I’m really a company?

See:
[https://twitter.com/jhooks/status/1167480182157889536?s=20](https://twitter.com/jhooks/status/1167480182157889536?s=20)

------
wildpeaks
I kinda agree with banning the ads because it would have grown out of control
and a race to the bottom on who can make their ad more efficient than the
others.

But here's an idea instead: we already have a Sponsor feature on Github, so
how about a command in the package manager that lists all packages that could
be sponsored, similar to how packages can be audited ?

That way everyone in on an equal footing instead of money going to money.

And if it's not enough, how about using private repos where you need a
subscription to access the package ?

~~~
wildpeaks
Furthermore, ads in the console only annoy developers, the people who are
rarely in charge of the money. You want developers to advocate for you, not
against you.

Also, a centralized command in the package manager enables generating lists
that their accounting department can use, it can even be part of their
automated pipelines and taken into account when they're billing projects to
their users.

For larger companies (the ones that are most likely to afford this), making it
easy for a problem to go away often matters more than the price itself.

------
_frkl
Hm, difficult topic, I can see both sides. I'd be interested what would happen
if npm decided to add a 'contains-ads' metadata field which package authors
can set to true if they want to display adds. By default, those packages would
not be listed when searched, and would not be be installable, except the user
sets an 'accept ad-packages' flag for that (or all) packages (opt-in), on the
client side.

I guess the main problem is that developers (rightly, in my way) think that
the usual suspects of suggested open-source funding methods which rely on
deliberate actions from users (donations, etc.) are not really feasible.
Double-licensed copy-left at least requires users to make a decicsion to
acquire a private license in case it's necessary. But if you for some reason
don't want to use copy-left, I guess the ad model would seem like an option,
as it does not require the user to do anything.

What I suggested above would take care of the fact that unwanted ads are
pushed upon the user, and users would have to make an active decision to allow
ads if they wanted to use a certain package. I'd be interested how many people
who complain about this idea right now, would still be principled enough to
not install such a package in the case where the package is high-quality, and
there is no good alternative around...

------
ajflores1604
I'm new to the wider development field so I'm pretty ignorant to the dynamics
of how things work right now or what it takes to maintain an open source
project; how come a bounty system isn't more prevalent?

I know bountysource exists, but I rarely see it brought up.

Wouldn't work for all packages or projects, but for the ones with big
corporate use that are still being developed, it seems like a straight forward
way to have a project be more self sustaining vs hoping ppl decide to donate.

Seems like a decent first step towards a wider system that could track what
packages you use, or that you manually list, with each package or project
having a monthly "sustainability goal" set by the maintainer. So that critical
packages used by everyone can have more visibility and a more dynamic support
system with lower barrier between the maintainer and the wider community. I've
always felt that the "subscription" model of things like patreon or similar is
too much of a mental commitment for most ppl. Besides, my needs change month
to month, and so would what I want to support. Having wider "sustainability"
goals with an easy way to donate to them would encourage me to efficiently
support the projects I find most useful or inspiring to me. Basically having
the data and seeing what projects that are important to me and are currently
short funded, and also having an easy system to directly support them without
long term commitments.

It's that visibility of the current state of different foss projects that I
feel needs to be addressed, before any creative solutions on monetization can
really be layered on top.

------
flingo
I didn't see anyone mention the amount of libraries this is depended on in in
the comments. according to npm's site, it's 441 as I post this. The developer
himself claims about 33340 other projects use it. (or at the very least,
that's what his automated use counter says:
[https://raw.githubusercontent.com/standard/standard-
packages...](https://raw.githubusercontent.com/standard/standard-
packages/85a7556f6051e8b7dfef471fed31378c4605f785/all.json) )

Probably a good thing this was caught early, as the typically large number of
node.js dependencies required for a package could have led to some sort of
combinatorial explosion of ads on install.

Even assuming that any one ad package checked to make sure it only displayed
ads once per session, very many people would want to put an ad into some
library somewhere, especially if they have existing users/dependants for their
pre-ad version. Careful maintenance would be needed to avoid putting other
people's ad code in yours, but also keep it up to date to fix exploits.

~~~
WorldMaker
standard is most often in `devDependencies` rather that `dependencies` which
npm's site tracks, that would explain a lot of the disparity in the two
numbers.

------
craigkilgo
Is there a package to convert all Internet ads to simple console messages? I
would be down with that package.

~~~
liability
This idea seems right up there with _" gee wiz, wouldn't it be neat to invent
neurotoxic poison gas?"_ We don't need this. This would not make the world a
more pleasant place to be.

------
langitbiru
The creator of Ruby on Rails, DHH, wrote about Open Source:
[https://m.signalvnoise.com/open-source-beyond-the-
market/](https://m.signalvnoise.com/open-source-beyond-the-market/)

To put in a nutshell, his strategy is making money somewhere else (Basecamp)
then express himself without any expectation by developing open source project
(RoR).

My strategies are similar to his strategy: 1\. Create a LGPL/MIT/BSD
opensource projects without any financial expectation to fulfill self-
expression need and achieve fame, 2\. Create GPL / dual license projects that
I want to sell / commercialize (the downside is I can not expect other
programmers to contribute to these projects).

------
thosakwe
The fullPage.js model IMO is the best way to fund an open source project, if
you’re not getting paid by an employer specifically to maintain that project.
Make a free option available for copyleft-compatible cases, and then charge in
cases where profit is involved.

------
dragosbulugean
While I don't particularly like ads in Node.js libraries output, I do not like
that NPM has anything to say in regards to whether ads are permitted or not.
Think about it, why is should a distributor be allowed to ban a producer?

------
barbecue_sauce
I didn't realize that this was a thing.

~~~
Hamuko
It was a thing for about a week.

------
fortran77
One line like: "See creator's web page at
[http://example.com"](http://example.com") I think should be ok. To me that
would be an OK compromise.

------
013a
A few thoughts:

(1) Most open source projects do not provide the outsized value impact that
their creators seem to think they do. Most projects exist around the realm of
"its 20% easier to install this than build it ourselves, so lets grab the
dependency". That's nice, but lets be clear here: Standard.JS is not building
Rails, or NodeJS, or Express, or React, or another _seriously_ valuable
project that saves companies thousands of dollars.

(2) Open source maintainers are deathly afraid of restrictive licensing. That
could mean GPL, or it could mean a straight-up enterprise "pay for a key"
licensing. I think these are _fantastic_ ways to level the field between
individual OSS devs and billion dollar companies, because most billion dollar
companies take licensing very seriously. Where does this fear come from? I
think a big part is that these OSS devs "want their cake and to eat it"; they
want the ego and community of an altruist, but the income of a Capitalist.
Another component is point (1); if you really tried to place a number on the
value of their project, they'd be disappointed with the number customers would
quote. They don't want to find out what that number is; they'd rather just ask
for donations (of which they get very little, because, again, this software
by-and-large does not provide outsized value).

(3) Its crazy to me that companies would pay for advertising space in an npm
install script. I'd bet developers behind projects like StandardJS went to
these companies and said "look we get millions of installs every month, that's
millions of impressions", and I _hope_ the companies are smart enough to know
that (A) the vast majority of those installs are in unmonitored CI scripts,
and (B) even if they are local, the text flies by so quick, and (C) even if
they aren't quick, no one watches that progress anyway. Even if there's no
deception today, one can easily see that monitoring "impressions" here is very
difficult, and thus its very difficult to place a quantitative value on that
ad space.

(4) The inability to sustain yourself on open-source development is about
equivalent to "I can't sustain myself on volunteering time at a food kitchen
for the homeless." If you're actually having funding problems to live your
life, its time to reassess. Again, this sounds like some of these projects
have some egotists behind them, or maybe they just feel like they can't leave
(hint: you can. you're human. your priority is you. not the billion dollar
companies who use your software without paying). Find help. Take a break. See
if your full-time company can "sponsor" development by letting you work on it
5% of the time.

~~~
19ylram49
> That's nice, but lets be clear here: Standard.JS is not building […] [a]
> seriously valuable project that saves companies thousands of dollars.

This is quite debatable and hard to measure, given the problem that Standard
solves. As an anecdote, I just started a new TypeScript-based project a few
days ago and I’ve spent the past few days mostly dealing with configuration.
That’s perfectly fine to me for a personal project where I’d like to decide
every aspect of the configuration, but let’s say this was for a fast-moving
startup, it’s probably a smarter idea, for most projects, to simply adopt
Standard et al. and call it a day. Practically speaking, if you consider a
software engineer’s salary and other important factors, I don’t think it’s
fair, or accurate, to claim that Standard doesn’t save companies thousands of
dollars; it almost certainly does

------
hnruss
I don’t see the point of CLI ads for open source software. If the maintainers
want money for it, they should simply require a paid license for commercial
use.

------
tjholowaychuk
Just go to the VCs, they're pretty dumb, they'll throw millions at just about
anything with a lot of GitHub stars these days.

------
nabdab
It was already banned, this is just doubling down. The terms explicitly
prohibited adware.

------
readme
Well I guess they've killed the market for terminal ad-blockers.

------
thefounder
Isn't this a kind of censorship? I guess Go has the same faith.

~~~
mfcl
Of course it is, and that's okay. It is NPM removing a package from its own
servers. It is okay just like automatically deleting spam emails is okay and
disallowing bad words during children TV shows is also okay.

It's not like NPM is preventing anyone to use some packages no matter where
they are hosted.

(or maybe I misunderstood your concern)

------
duxup
I haven't really run into any.

Has anyone run into some unexpectedly?

~~~
lioeters
Yup, just this week I noticed the npm package `core-js` used by the Babel
transpiler was polluting my build logs.

It listed opencollective and patreon as possible channels of support. That I
didn't mind so much, but then there was a message (repeated countless times in
the logs) that the author was looking for a job. That's just spam in my
terminal, unacceptable.

Background and heated discussion in the following GitHub issue (since closed
without resolution):

Get rid of postinstall message

[https://github.com/zloirock/core-
js/issues/548](https://github.com/zloirock/core-js/issues/548)

I believe some irate users reported it to NPM, which could have triggered or
contributed to the policy decision to ban terminal ads.

~~~
duxup
Interesting, thank you.

I'm not heavy on the "hell i'll just import anything" kinda thing so I often
feel immune to some of the random "omg this package" panic.

But... Babel... that's some serious stuff once it hits there.

~~~
depr
The serious stuff is that this library that's used in over 3 million projects
according to Github, let alone projects that Github doesn't count, is only
making the author a measly $200 on Patreon.

~~~
duxup
I think that's an interesting but any idea or solutions really seem ... worse
to me. Including hitting up everyone's console all the time.

------
gautam1168
i loved those things

------
fnord77
_This library was brought to you by Coca-Cola._

------
Jonnax
Doing open source without utilising the the code in some form of paid product
is a foolish thing to do.

Essentially making someone else rich for free because Software-As-A-Service is
seen as the morally superior method of generating revenue.

I'm sure we'll be reading many articles about some open source developer
building some critical tool or library utilised by half the world. Only to
live near the poverty line.

Whilst companies made millions off of it.

~~~
reaperducer
_Doing open source without utilising the the code in some form of paid product
is a foolish thing to do._

The entire computer industry was founded on people writing software for the
joy of writing software and giving it away for free. 90% of software available
through the early 80's worked this way. We called it "public domain software."

(As an aside, the earliest version of the word "hacker" that I can remember
was when people would take public domain programs, "hack" out the original
author strings, then redistribute the program as their own work. The
definition of "hacker" has gone through about five permutations since then.)

~~~
JoeAltmaier
I think that's revisionist thinking. I wrote software through that period; I
remember it as expensive and closed. The free stuff was exceptional because it
was free.

Come on; Linux started in 1991; Stallman was an unknown and just beginning his
ministry in the 80s. Corporate software dominated everything, including the
IBM PC which was the flagship of Silicon Valley. DOS wasn't free; software for
it was for sale everywhere.

~~~
reaperducer
_I think that 's revisionist thinking. I wrote software through that period; I
remember it as expensive and closed. The free stuff was exceptional because it
was free._

I wrote software in that period, too. So, no, it's not revisionist. Yes,
closed software was very expensive. You'd pay upwards of $1,000 for a
compiler, or $500 for a spreadsheet. But there were tens of thousands of
public domain programs that were also available. Some of the PD libraries from
organizations like TPUG were massive. No, it wasn't all good. But if you
wanted higher quality, you paid the money for it.

 _Come on; Linux started in 1991; Stallman was an unknown and just beginning
his ministry in the 80s. Corporate software dominated everything, including
the IBM PC which was the flagship of Silicon Valley. DOS wasn 't free;
software for it was for sale everywhere._

I think you're thinking of a later period in time than I am. I'm not thinking
x86 era. I'm thinking Z-80 era.

------
ramzyo
I’m surprised Feross was the catalyst here. From his Youtube Instant days
always struck me as the type who appreciated and championed FOSS. Seems he
decided that the F in FOSS might be, erm, “reinterpreted,” much the way the
notion of “free” has been by modern web companies.

~~~
ramzyo
For more context, in case anyone is wondering what I was trying to communicate
amidst the torrent of downvotes.

Feross is a meaningful voice in open source. I've admired him for a long time,
and still do. He's written some thoughtful posts in the past about FOSS
specifically, hence the specificity of my comment (see his post from 2010
here: [https://feross.org/stallman-stanford/](https://feross.org/stallman-
stanford/)).

Reading his justification for the "funding" experiment (here:
[https://feross.org/funding-experiment-recap/](https://feross.org/funding-
experiment-recap/)), I was struck by the fact that he didn't address an
obvious slippery slope in his argument for what he was experimenting with,
namely,

"For the record, funding had absolutely no tracking, no data collection, and
no code from untrusted third parties. It was a console.log with some fancy
formatting. Think of it like a newspaper classified ad. We just print it and
hope that maybe some folks will see it."

I don't knock his attempt at experimentation with funding models for FOSS
developers; however, there's an ongoing history lesson we're all living that
serves as a cautionary tale for where ad-funded monetization models can go.
Considering corporations are largely involved in FOSS today, could the
normalization of monetization of FOSS with the wholly positive intentions of
rewarding those who have dedicated their time to developing FOSS software, not
evolve into a model wherein for-profit companies use this as a backdoor to
monetize their FOSS contributions? For example, imagine compiling Kubernetes
and getting an ad for Google Cloud services. Or compiling the Linux Kernel
with features committed to the kernel source primarily by Google and getting
an ad for a Chromebook as part of the boot sequence.

Sure this is all a bit dystopian, but I'm surprised someone as thoughtful as
Feross didn't address the possible unintended consequences of his experiment,
even if his original intentions were in no way nefarious.

~~~
liability
> _Think of it like a newspaper classified ad._

Consider also the quality of advertising those organizations (newspapers,
magazines, etc) submit their readers to in the digital domain. The worst sort.
That newspapers printed on paper lack telemetry is not attributable to pure
motivations on the part of the publishers. Rather, print newspapers lack
telemetry simply because nobody has figured out how to put telemetry in them.
Were it's possible, those same organizations eagerly adopt telemetry because
of the nature of the economic incentives in the advertising industry.

