
Rage-quit: Coder unpublished 17 lines of JavaScript and “broke the Internet” - gotchange
http://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/?comments=1
======
YeGoblynQueenne
I don't work with javascript so could someone please explain this to me? I
don't understand why one guy pulling their repository off the npm servers
affected others' projects. Why did everyone else's code refer directly to that
guy's repository, and not some centrally-maintained clone thereof?

Is it the case that projects on npm refer to the original authors'
repositories always? That sounds very unreasonable.

For instance, I'm pretty sure that's not the way it works with, say, yum. Red
Hat hosts some packages on its servers, but that's not where the projects'
code resides- the maintainers have their own repositories and in fact the rpm
packages often have different maintainers altogether. So if a project goes
down, the package stays on the RH server and you can still get it anytime you
want.

What I'm really asking is: why is it not done this way for npm also?

~~~
dalke
I haven't followed this closely, but I think I can answer your question.

> "Why did everyone else's code refer directly to that guy's repository, and
> not some centrally-maintained clone thereof?"

I believe the repository, which is on github, did not change. Quoting this
article: "And he used that command, deleting 273 modules he had registered in
npm (though he left the modules available through GitHub)."

Instead, it was the central registry which changed.

It looks like npm lets others manage "their" parts of the registry, unlike Red
Hat which is in complete control of what they release.

> "What I'm really asking is: why is it not done this way for npm also?"

My thought is that it's cheaper. Otherwise each new project in the registry
needs an employee to manage it. There's also a long tension going back to at
least the WELL's "You Own Your Own Words" of who controls the content provided
by members. If something starts off as "we control everything you do" then
that's going to be viewed with suspicion.

