
Kik, left-pad, and npm - mattei
http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm
======
bastawhiz
Claiming that users would be confused when installing the Kik package is a bit
of a bad excuse. Installing a package without knowing what it is or does is
simply nonsensical. There's no way of knowing even _how to use_ the package
without looking up information about it beforehand. Anyone seriously
installing a software package using a developer tool without knowing anything
other than the package's name is a fool.

Additionally, the lawyers in question did not seem to want to put a new
package online, they simply wanted to take down the existing one. This does
not seem to be the intent of the name resolution policy.

This was a bad call on the part of the NPM team, and they should reevaluate
how they arbitrate these issues.

~~~
bsimpson
Kik (the company) wanted to publish an npm module using their trademarked
company name[1]. As has long been npm's policy, they asked the trademark
holder and the author to work it out amicably. Azer handled the situation
about as gracefully as you'd expect from someone who published a module
without checking if the name was clear and rage-quit when that decision bit
him, bitching about "corporations" and stranding the countless developers who
(eventually) depended on one of his modules.

npm and Kik did most-everything right. The problem was in unpublishing already
published tags. Once a tag is published, it shouldn't be able to be
unpublished except in the most extenuating circumstances (perhaps a brand-new
tag that inadvertently included PII). After a name changes hands, the new
owner shouldn't be able to publish a new build in any of the major versions
the previous owner tagged. Moreover, wholesale unpublishing modules shouldn't
be allowed for the exact reasons this incident demonstrated. Based on npm's
response, it sounds like they've learned that.

[1]: [https://medium.com/@mproberts/a-discussion-about-the-
breakin...](https://medium.com/@mproberts/a-discussion-about-the-breaking-of-
the-internet-3d4d2a83aa4d#.zgf76kuk3)

~~~
jsprogrammer
The problem is that KIK (the company) has no registered trademark for this
use. If they had, they (or you) could point to the specific registration that
the `kik` project infringed upon.

Any talk about trademarks is irrelevant (and npm even claims in this article
that it had nothing to do with their decision).

Additionally, the `kik` package now has this description:

'This package name is not currently in use, but was formerly occupied by a
popular package. To avoid malicious use, npm is hanging on to the package
name, but loosely, and we\'ll probably give it to you if you want it.'

So...why did this happen again?

~~~
dandelany
Because Kik plans to `npm publish kik`, presumably a JS API or something. That
is a stock robomessage, though granted, not a very good one under the
circumstances.

------
deciplex
> _npm won’t suddenly take your package name._

"...unless we do, in which case we will."

I wonder at the cognitive dissonance that has to be there to type a thing like
this when the entire shit show started with you doing _exactly_ what you're
saying you won't do.

~~~
ahuth
I'm not completely up to speed on the situation. Do we know that this happened
suddenly?

~~~
deciplex
Based on the chats here:

[https://medium.com/@mproberts/a-discussion-about-the-
breakin...](https://medium.com/@mproberts/a-discussion-about-the-breaking-of-
the-internet-3d4d2a83aa4d#.g9g00gzhx)

It does seem that the first contact from NPM to Azer was to tell him they were
taking his package. There does seem to be a gap there, so maybe there is more
to it.

~~~
jsprogrammer
The author of that post claims those transcripts represent the "complete email
thread of [their] exchange", but I also have serious doubts about the accuracy
of that claim.

Particularly troubling is the 'first' email from KIK|Bob to NPM:

>OK, so it doesn’t seem to be possible to resolve this amicably. Can you guys
help?

>Bob Stratton

>kik Interactive

If this was a cold-email to NPM, we must assume that Bob is relying on NPM to
spend time deciphering the chain mail that he had just forwarded to them.

Words like "it" and "this" suggest that their had been prior correspondence
between the parties, but maybe Bob just likes to dump chain mails on other
parties while using extremely vague pronouns?

~~~
WorldMaker
Following the Dispute Resolution Policy [1], NPM would have been CCed on the
entire chain. This is tl;dr item #2 right at the top:

«2.Email the author, CC support@npmjs.com»

Given other context in the exchange, I would give Bob the benefit of the doubt
that he followed Item #2 here and did CC NPM in this discussion.

Additionally Bob is correct that as soon as the F-bomb was thrown it was a
clear intent by Azer not to deal amicably with the situation and also a clear
violation of the Code of Conduct [2], which is not mentioned in this article
because it is directly invoked/linked in by the Dispute Policy, but is also
applicable to the actions taken here.

[1]
[https://www.npmjs.com/policies/disputes](https://www.npmjs.com/policies/disputes)
[2]
[https://www.npmjs.com/policies/conduct](https://www.npmjs.com/policies/conduct)

~~~
jsprogrammer
Bob clearly started the vulgarities by dropping a D-bomb (and labeling himself
and KIK one) in the opening clause of his second email.

KIK|Bob never intended to act amicably and, in fact, admitted as such in cold
text.

>We don't mean to be a dick about it, but...

NPM seems to have ignored this blatant violation of their dispute policy and
didn't even engage in conversation.

~~~
WorldMaker
That certainly reads to me as an attempt to be colloquially amicable.
Certainly it would have put a better foot forward if he had started with
something more like "We are trying to do the right thing and...", but minor
self-effacing obscenities are something we Americans tend to use in a
colloquial, "buddy buddy" way to suggest that we are aware of the complexities
of the situation and empathize with the other person's plight and how they
must see us. It certainly read amicably to me, but I can also see why it may
not read that way to others, especially with out vocal pattern contextual
information, and that it may in fact only add to the confusion of the
resulting conversation.

(Thinking about it, I wonder if this is something of an l10n/i18n issue... Oh
the wonders of global communications and how it can break down.)

~~~
MatthewWilkes
The whole thing reads to me as a cultural misunderstanding. At least, I
wouldn't consider the Kik messages to be be anywhere near appropriate language
or tone. Given that npm seemed to be fine with it, I guessed that it's not
unacceptable to American ears, but my emotional reaction probably would have
been along the same lines as the original author.

~~~
jsprogrammer
NPM should not have been fine with it [0]. KIK|Bob's language is in violation
of npm's stated Code of Conduct and Dispute Resolution process. If npm
actually read KIK|Bob's emails that were sent to Azer, I don't see how they
could have allowed that dispute to continue, let alone side with KIK|Bob.

[0] [https://medium.com/@blakelapierre/bob-stratton-and-kik-
inter...](https://medium.com/@blakelapierre/bob-stratton-and-kik-interactive-
is-a-dick-and-npm-enabled-them-111745581d15#.ijtqfa8pm)

------
cornchips
"npm did not 'steal' Azer's code."

"npm did not _respect_ Azer's code."

"This incident did not arise because of intellectual property law."

"we believe that a substantial number of users who type npm install kik would
be confused to receive code unrelated to the messaging app with over 200
million users."

"This incident _did_ arise because of intellectual property _policy_."

"npm won’t suddenly take your package name."

"... except when we do"

~~~
sargas
Shady.

------
nej
Come on npm, no one blindly does "npm install kik" expecting to install a
messenger client.

------
pvdebbe
"Open source" doesn't mean the code is free to take over. The blog should have
used exact terms on licenses and their TOS.

------
sigmar
I like to support people that do things to convey their opinion and protest a
decision. Sometimes brazen behavior is warranted to get more attention to your
cause. But not in this situation. What Azer did seems like a "knee-jerk
reaction" performed mostly out of spite.

------
pluma
In other words: npm Inc says they have done nothing wrong and the only problem
is the ability to unpublish versions other people depend on. This matches the
way npm employees have been responding to the outrage on twitter yesterday.

However there are two causes for outrage here:

1\. Azer unpublished a module a large number of projects depended on (mostly
indirectly via babel, which itself depended on it indirectly via a line
numbers package), breaking everyone's installs.

2\. npm Inc handed over the kik package name used by azer for an actively
maintained project to kik Interactive who previously tried to strongarm azer
with vague legal threats unsuccessfully.

Personally I find #2 far more troubling but if you listen to what npm Inc and
its employees have to say it's as if this isn't even worth mentioning.

A representative of kik Interactive asked azer for the package name (after
having already published their own package on npm under a different name).
Azer said no thank you, so the same person responded with an underhanded
threat (but no actual legal claim) -- to which azer understandbly responded
unfavourably.

Then the same person contacted npm Inc with wording that strongly implies he
isn't looking for mediation but for npm Inc to do what azer refuses to do --
but with no indication that failure to comply would put npm Inc itself at any
legal risk (which the statement now acknowledges although npm Inc employees
have indicated otherwise before @ag_dubs clarified). And npm Inc just does
exactly that.

As far as npm Inc and kik Interactive have been truthful about the exchanges
that took place, at no point did npm Inc try to mediate between kik
Interactive and azer over the use of the package name or alternate package
names and the intended use by kik Interactive.

Npm Inc is behaving like a private company here. That's okay and they've done
so in the past and repeatedly made it clear that they are a private company
and offer the npm public registry as a free service and the npm client as an
open source project.

However what is not okay is that npm Inc wishes to maintain an exclusive
monopoly and special status within the node ecosystem by being an upstream
dependency for the node project (the npm project existed before the formation
of npm Inc as a private company and the npm registry was only transferred to
npm Inc after it had already become the blessed module registry for node).

Right now node itself is under the control of the Node Foundation but npm
(both the client and the registry) is under the control of npm Inc. The npm
client and registry hold a special status within the node project by being
shipped alongside node (which has previously resulted in licensing problems
when npm Inc made changes to their license without notifying the node project)
and being treated as "the" node module registry.

This means a non-trivial part of the node ecosystem -- as advertised and
spread by the node project -- is under sole control of a private company.
Further, npm employees are members of the Node Foundation and influencing it
as such -- including Ashley Williams who was elected as a representative for
the Node Foundation members despite an obvious conflict of interest
(consciously or not) due to her prominent role at npm Inc.

It's a clusterfuck and I only see two options:

1\. npm Inc continues to maintain the registry and client but stops
interfering with attempts to replace npm as the authoritative module registry
for the node project (leading to the eventual replacement of the registry and
client by something under the control of the Node Foundation).

2\. npm Inc defers arbitration and governance of the public npm registry to a
Node Foundation committee (which they may join through the normal ways but
hold no special status in), effectively giving control over policies to the
Node Foundation (formalizing their special status without giving them as much
power over the node project as they currently have).

------
jsprogrammer
Some interesting things to note:

NPM claims intellectual property issues had nothing to do with their dispute
resolution.

NPM disregarded Azer's unpublish request by restoring `left-pad@0.0.3` from a
backup of Azer's original publishing, __not __by repackaging the liberally
licensed source.

NPM claims the full dispute resolution policy is still in place, yet many of
the packages that have been taken over currently have no usable code and/or
are being 'squatted' in direct contradiction of that policy.

------
mehmetkose
Well he is got balls. You were supposed to be on the side of the developer

