Hacker News new | comments | show | ask | jobs | submit login

Why on earth would someone pay for that if the code is already open source?

That's not the point, of course no one would pay $100 for a string pad function. The point is they own the source of code that thousands of people will potentially pull from without realizing it's a different owner who might have different intentions. Not trying to say what they did is wrong or bad (it saved a lot of people's butts I'm sure)--it's more just highlighting the massive issue with NPM package publish & unpublish.

v0.0.3 is open source, though there is no license in the Github repo, so murky, but NPM says its WTFPL

Since old code is under a very permissive license, then the new owner could create v0.0.4 add code and make the new version closed with a restrictive license.

This is where a license like GPL would benefit overall, since all future code requires to be under the same license.

Either way, it seems like a dangerous policy to allow someone to re-own a previous owned and published module. Licensing is not the real threat but malicious code that potentially could be deployed.

> there is no license in the Github repo, so murky, but NPM says its WTFPL

The WTFPL licensing comes from the package.json file, which is in the GitHub repo.

Yeh, my mistake. I missed it in package.json was looking for a LICENSE file.

Now I'm seriously wondering if npm is a goldmine for GPL infringement. If someone has an insane dependency tree with 1000 entries then there is bound to be at least some GPL in there forcing everything else to be GPL too.

Exactly--there's a great bug thread on the Atom text editor where they laboriously dug through hundreds and perhaps even thousands of dependencies to see if any had licenses that were incompatible with theirs. It looked like a complete nightmare and you can see the end result if you go to the View License menu in the editor--it's hundreds of little licenses.

With 1000 of dependencies, I would be much more worried that one of them are proprietary licensed (or was ripped from a place with no copyright license attached and then had a new license added the original authors permission). Imagine distributing a "$100 per use" software for a few years without paying, and how the court system would react.

I guess this is why debian takes licenses so serious.

Sadly, there's nothing insane about 1000 entries when it comes to npm. That's the reality of pretty much any non-trivial project, especially with React and Babel.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact