
Let's fix NPM with IPM – Immutable Package Manager - reimertz
https://github.com/ipmjs/ipmjs#readme
======
ZoFreX
How does this fix the issue? Even if you think the Kik trademark claim was
invalid... what happens when a valid trademark claim arrives?

~~~
dandelany
Ideally, names could still change hands, but it would require a major version
bump. So I publish 'google-lib' 1.0.0, Google files a trademark claim and is
given publishing rights on the 'google-lib' package, but _only_ for versions
>=2.0.0. If a company still goes after you for hosting the archived code,
_that 's_ when you make a legal stand and try to get EFF involved or something
- because there's zero case for "reasonable likelihood of [trademark]
confusion" over a deprecated version of a package which is only available via
'npm install'. I would expect this to never/rarely happen.

The harder question is what to do when you get a valid _copyright_ claim, ie.
when someone publishes code that wasn't theirs to publish. I think in this
case, immutability doesn't really work, and you'd have to retroactively remove
all versions. This should also be fairly rare, especially since so many
packages are <500 lines of code.

~~~
vskarine
That's actually sort of how NPM works currently, they mentioned that that's
exactly how they would solve kik situation, by giving them new version of the
package: [http://blog.npmjs.org/post/141577284765/kik-left-pad-and-
npm](http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm)

"Had Azer taken no action, Kik would have published a new version of kik and
everyone depending upon Azer’s package could have continued to find it."

~~~
spriggan3
> In a global namespace for unscoped modules, collisions are inevitable.

why does npm works with a global namespace to begin with ? don't they
understand that's the root of the issue ?

------
doragcoder
More Go centric, but they are similar. So there may be some ideas that could
cross-pollinate.

[https://github.com/artktec/gopkgr](https://github.com/artktec/gopkgr)

------
bcheung
I wonder if it makes sense to combine some kind of blockchain technology.

~~~
reimertz
I like the idea and I couldn't agree more. Would be awesome if each individual
package could be verified, maybe even stored, using the block chain.

If you have some time, please add an issue on the repo and start the
discussion over there.

