Hacker News new | past | comments | ask | show | jobs | submit login
Npmjs.org moderated one of my comments regarding their outage today (robcolbert.com)
161 points by fragmede on Feb 28, 2014 | hide | past | web | favorite | 77 comments

Hi! CTO of npm here. I haven't been reading HN today because we were trying to fix the SSL thing, so I was genuinely taken aback to see this article.

We didn't censor any comments; we did no moderation of any kind today. I have no idea what happened to his comment, but nobody at npm did anything to it.

Tough to give benefit of the doubt, but we're talking about Disqus here and I've had this sort of thing happen to me in the past. Willing to believe it could be an honest mistake. At least you know now to tread lightly if you were ever thinking of doing something like this.

I know you don't know me, but if you ever meet anyone who does, you can ask them about my personal attitude towards censorship of any kind. The idea that I would stoop to censorship for something as petty as somebody voicing legitimate complaints about a technical screwup of mine is laughable.

(Update: I remembered I wrote http://seldo.com/weblog/2013/09/04/why_i_am_a_web_developer a while ago, which should give some indication about how I feel about censoring the web)

Sounds like a lot of misplaced "outrage" about nothing. You've done nothing wrong, don't let yourself feel like you did.

The internet is a weird place like this, where mobs can assemble in hours and stick you on their pitchforks for an imagined slight before you know what's going on. That's just the way it works, unfortunately, and the tech crowds are no exception.


To those who actually appreciate what these guys are doing: now would be a good time to pipe up and show that you support them and are not represented by the vocal minority who's currently getting all the spotlight!

Just curious: what happened with disqus today that caused Rob's comment to be moderated without action on your team's part?

It seems worth investigating and would set many of the skeptics at ease to know that it truly was not moderated by a NPM member.

To be honest, if you had moderated that, I wouldn't blame you.

Freedom of speech doesn't mean you get to go into someone's house and shout in their face.

I was under the impression that anyone could flag something on disqus and it would be censored automatically.

Yeah, this must be it. Here's a screenshot of the settings option:


"Do not display a comment once it is flagged [Off/1 time/3 times/5 times/10 times]"

Does this mean that anyone who doesn’t want random and unknown censorship of their page comments should avoid using Disqus?

> Tough to give benefit of the doubt


Because their business interest very clearly align with HN readership not believing that they swept this comment under the rug, regardless of if they actually did.

NPN's business interest is very clearly aligned with making sure that HN readership understand how seriously some people regard this. It is clearly in their interest to publicly address the issue - anything that hints at trying to hide from that is against their business interest.

IMHO the allegedly moderated comment didn't have anything that hasn't been said in hundreds of other places (except perhaps the cheap shot about them smoking something)

Nobody is really talking about this massive betrayal of trust by the npm maintainers.

Make a mistake and deploy a backwards-incompatible change? Thats negligent. However, mistakes happen and I understand that. (An apology would be nice.)

But deleting the most important and insightful comment is damn-near unforgivable. Especially when such a note was so reasonable, even-tempered and had such empathy for the npm maintainers.

As of today, I don't really trust npm, and trust is considerably important for package managers. If they expect to earn any of my respect back, it would take a sincere apology.

Apology here:


Your outrage seems rather misplaced. They screwed up their certificates, which caused a problem for people running the non-latest-stable nodejs.

They then posted how to fix this, and apologised for the problem.

Note to the wary: if you are running software that is version 0.10.25 in production, and complaining that things aren't "Ready for enterprise" then all I have to say is "no shit, look at the version number!"

If you aren't ready/willing to deal with a fast moving deploy target, then stick to Ruby/Python or better still JVM/.Net!

You're right, I was far too indignant. I can't say that I don't trust npm. I am a javascript developer, after all. For the most part, I have had a great experience working with Node.js and npm. Further, we were not affected by the bug at my company.

I hadn't seen the seldo's apology when I posted, but they do seem very honestly apologetic. Like I said, I have nothing against them messing something up time and again, especially something that shouldn't break responsible production environments. Everybody makes mistakes.

The big red flag to me was the deletion of Rob's criticism. I know they must have been very stressed out, but it wasn't a good move. The industry needs to question if we can rely on these people, and kneejerk reactions like that don't earn any trust.

Nobody can deny that trustworthiness is a touchy subject as npm transitions into a real company. Node developers rely on the reliability of thier development stack, and the reputation of node is largely in the hands of this organization. As npm changes and becomes more opaque, it will become harder for the open alternatives to keep up. If npm gets messed up, node does too. For developers working on production node projects, there is certianally something to loose. If the time comes that npm does need to be forked, the path forward will certianally be a bumpy one.

For the time being, I continue to trust npm for my js modules (and even with my "life", considering I have a few -g installed modules.) Like I said, developers working on node projects don't have much choice, but after reading their apologetic response I will continue to trust npm.

> better still JVM/.Net!

Sure do, enjoying them every day.

I'm not sure why you think version number is any indicator of quality. In any case, npm is 1.4.4 on my machine.

As per semantic versioning, 0.x.y is for development. That's not to say that code quality will be necessarily lower, but the API and functionality is expected/allowed to fluctuate prior to 1.0.0.

For more info on semantic versioning: http://semver.org/spec/v2.0.0.html

Your point regarding npm itself being beyond 1.0.0 is fully valid, I just wanted to clarify the reason for certain expectations existing based on version number.

node does not use semantic versioning.

Then there shouldn't be an expectation that it is "enterprise ready" at all, right? :P

Having looked, I can't find any link citing that one way or the other, but that doesn't change the fact that enough things these days do adhere to semantic versioning that many people expect certain things based on the version number.

node.js decided uses very non-semantic versioning. It's genarally understood that a 0.x release isn't production-ready, but node.js is widely considered production-ready and in fact every even-numbered release below 1.0 is considered stable. That's a pretty arbitrary and nonsensical scheme if you ask me, but you're not. The bottom line is that backwards incompatible changes aren't expected for a 0.x.y release where x is even.

I don't think it's an indicator of quality.

But "enterprise readiness" (whatever that means) which is what Rob the random commenter was talking about in his comment, seems silly on a runtime that is below version 1.0

Yes npm is 1.4.4, but node is 0.10.25. So an expectation of ANYTHING being "production ready" on a non-production ready runtime seems fraught.

I get that nodejs is high quality and it is run in production all over the place (I myself run it, and even meteor in production applications). But I understand there are risks and it's a fast moving target.

Off topic: Author is seeking employment & could use some life guidance... https://twitter.com/robcolbert

For those reading this later (he's posted many tweets since), he appears to have quit his job one week ago:


and today has no money:


but doesn't want to work for another "shop beholden to the weakness of its internal IT":


It's difficult to have a ton of sympathy, but it's still just an overall sad situation.

Wait, he didn't keep a 6-12 month cash emergency fund?

I guess his finances aren't enterprise-ready...

This comment is in poor taste :(

You're probably ritht. I feel the original article was itself in poor taste, but that is no excuse for me stooping down to the same lack of taste. Apologies.

> Author is seeking employment & could use some life guidance... https://twitter.com/robcolbert

Hmm...Life guidance. I don't know.

Sometimes a technology's biggest detractors are its most fervent adherents. The drama, fuss, immaturity and irrationality is just off-putting and screams to everyone else "Do you enjoy drama? Do you want to be in the middle of trolling wars on Twitter? Please join us, just Node.js it all comes with it as part of the package!".

This is isn't the only thing. The drama with Joyent fake firing that person who didn't want to accept some doc updates. Is that all, I maybe wrong, but there is just no end to immaturity and drama. The people and culture associated with this technology is off-putting to me. Maybe others love it, good for them.

Don't forget about the npm trademark thing.


Passionate people create drama... which technology stack are you in that doesn't have drama? Because I can't think of a modern one that doesn't have some amount.

And the catch all is of course Steve Balmers sweaty speech...

C, Go, Erlang, Python -- none have this level of drama and immaturity. Passion people who are immature create drama. Passionate people who are mature don't create drama.

Python had "fork my dongle"... Two people got "actual fired" over an innocuous comment made between friends at a conference.

C is a different kettle, I suspect it had it's drama time, but the internet wasn't around to amplify it.

Go and Erlang combined communities are a fraction of Node, python, ruby ones (individually).

Those that read into internet ranting and call it drama or immaturity, are simply displaying their own maturity. The vast majority of people in these communities are mature professionals... now and then you get a blowup, that isn't a reflection on the technology or community but the individuals involved.

I'm curious as to why he is celebrating a single Node process handling 135 concurrent connections.

I think it's more that his home internet connection can do it.

Rob really needs a $5/mo digital ocean instance...

You're right. I hadn't seen that when I posted the above comment.

I don't think it's even 135 concurrent connections, it's 135 users who have his page open. Probably far less were actually loading it simultaneously.

Then leave it out or make a new post. This is not somethingawful or 4chan. We should be above doxxing people because they have opinions.

Perhaps npm, Inc should hire him instead of deleting his posts.

I wouldn't hire him. In fact, I think he goes on an explicit no-hire list. And I definitely would have deleted the comment and banned him from making further comments.

The mass of people coming to his defense is a great example of why I can't take the JavaScript community seriously. The very first line of the comment screams "arrogant jackass" who won't play well with others and prefers to make his points through mockery and derision.

Thanks for reaffirming my commitment to not read up about an author/user/submitter other than in regards to the opinion/assertion made at hand...


> I decided not to fight for changing something for the better today and quit. Why do companies lie? Why do ppl fear change?

I am not wise enough to be called a source of wisdom...but if you are in IT, and your company is not actively poisoning children or criminally violating you, do not quit out of professional principle without a backup plan.

> do not quit out of professional principle without a backup plan.


It's an interesting thing to read through after reading the other HN article "We have luxurious jobs but we are not ware of it" [0].

> Thanks for reaffirming my commitment to not read up about an author/user/submitter other than in regards to the opinion/assertion made at hand...

Oh dear, down the rabbit hole I go...

As far as I can tell, it seems to be about IT not supporting MongoDB and him not wanting to use *SQL.

> I will key=value a BLOB in your row. Good luck reporting that. I am NOT dealing with tables. It's 20 the fuck 14.


[0] http://blog.gedrap.me/blog/2014/02/27/we-have-luxurious-jobs...

Yikes. He seems to be in a really bad place right now. I don't think tweeting and acting like that are going to help his prospects though. He seems like a passionate person but I'm not sure he is communicating that passion in the best of ways. Hopefully things get better for him.

Stefan_kendall, your last several comments are dead. You seem to be hellbanned, FYI.

Hence the "Vitriol gets you nowhere. This is something I've learned the hard way.".

Seems to be very slow, text can also be found here: https://news.ycombinator.com/item?id=7321609

More context: https://news.ycombinator.com/item?id=7320833

From the author:

Oh, boy. A DSL line isn't sufficient to handle 150 people accessing the site right now. It may be slow, but it's not going to go down. It's powered by Node, the nodejs process is only using 56MB of RAM and about 40% CPU. I'm fine. My bandwidth is simply depleted. Have patience, and thank you for visiting. I need some bandwidth and a budget. Wow.

I'll never understand this when a $5 digital ocean VPS could perform far better, and probably a lot cheaper than the extra electricity he's burning at home.

According to a document published by the government where Rob lives [1], electricity rates are around 0.08 USD/kWh. We can assume Rob uses a computer at home anyway, and would have his DSL modem on anyway, so the extra electricity should be computed based on a single desktop being on for the extra hours per day that it might otherwise be put to sleep. Typical power consumption for a desktop box is around 90W if it is somewhat active vs. sleeping. There are about 730 hours in a month, but his computer would be on say 30% of the time anyway, so that's 511 extra hours per month. That comes to 46 kWh per month of extra electricity, which in his area costs about 3.68 USD per month.

So the price is slightly less, but the value for money isn't good with the home solution. Then again, unemployed people are sometimes known to make suboptimal economic decisions in terms of expected value, because they're optimizing for other things (e.g. being able to switch off a cost mid-month).

[1] http://www.oca.state.pa.us/Industry/Electric/elecomp/Archive...

Even just sticking a caching CloudFlare instance in front of the thing would do better than it currently is.

Or AppEngine. Or GitHub Pages if the content's static. Both of which are effectively free.

Running a home server is fun, but not the best choice if you're publishing content to the outside world.

Obligatory warning: Github pages can go down and sometimes can't handle a slashdotting.

Case in point: https://status.github.com/messages/2013-11-13 (due to https://news.ycombinator.com/item?id=6722197)

Because hosting it yourself is so much nicer and you learn so much more from it. It's not nicer in terms of connection speed (although unlimited bandwidth counters that a bit), but you just have everything under control. You can do and put anything on the server while being assured there is no BOFH nosing in your data, or someone social engineering the support team. I would not feel entirely safe storing private keys on a VPS.

I agree that from a business perspective, a VPS is the obvious winner. You don't get redundant hardware and fast internet at home for the same price as you can with a VPS. And if something goes down, you needn't be the one on call: your host fixes it all for you. But for personal hosting that doesn't need someone on call, I prefer hosting my own stuff.

And, especially on DSL internet, it's much nicer to have your data and backups in the LAN instead of having to up/download it all through that pipe. So if you have a server at home anyway, no need to get another VPS really.

Please, make it better. The last thing the JavaScript community as a whole needs is more fragmentation. You know JavaScript, why don't you contribute to NPM?

When that security bullshit happened with RubyGems a year ago, many members of the Ruby community pitched in and helped the RubyGems team get the site back in order, even making Chef scripts so the whole thing is repeatable. Now, RubyGems is more secure and runs faster than ever.

Thank you for posting this. I completely agree. We already have a package manager, there's no need to fork it and have to have 2 competing things when it's all open source and those with knowledge can contribute to make npm better.

Waiting for the page for 3 minutes, so far only the title has loaded (and probably the rest of the html but it's not showing).

> Powered by Pulsar

For various definitions of 'powered'.

The site’s hosted on a machine in his house, and is served over a DSL connection.

He says Node and/or Pulsar are doing well enough (150 connections using ~50 MB of RAM and 40% CPU)- apparently he just doesn’t have enough bandwidth to get everything out to everyone.

Hosted my own blog on DSL for years, I know the issues. He just shouldn't try to serve up half a megabyte of javascript over that connection. The Javascript is required though, so I'm not sure you can't blame Pulsar.

> Try harder, or get forked.

I really like that, and fits so well for some FOSS projects.

Not sure why, but HN user "IsaacSchlueter", who purports to be the comment thread moderator, posted an explanation/rebuttal/apology to the OP in this comment thread an hour ago.


However, Isaac has been hellbanned...I'll repost just to give him the benefit of the doubt:


> We didn't moderate away anything. I am literally the only person who CAN moderate those comments, and I was at a conference all day. 100% of my online time was spent working with my team to figure out the fastest path to a fix. We didn't realize the extent until way too late, and that's bad on us. I apologize. I didn't delete your comment. I'll look at the moderation queue and see if maybe disqus is set to auto-hide after some time or something. I'm sorry for the confusion there.

Not hellbanned, probably just tripped up by the duplicate comment detector: https://news.ycombinator.com/threads?id=IsaacSchlueter

I was wondering if the rate of voting or the absolute value of the post's rating (it had a ton of upvotes) triggered a Disqus protection thinking it was a flame war, similar to flamewar protection on HN.

That's why I moderate comments directly myself on my own blog, without using Disqus or akismet. Those systems have false positives.

I eliminated almost all my comment spam by writing a custom version of the Growmap Anti-Spam plugin.

Hrm, there's a lot of Noderage on HN tonight..

Incidentally, if anyone here was actually affected by this, they put up a reasonable explanation / apology / useful-resolutions blog post that no-one seems to be paying attention to: http://blog.npmjs.org/post/78165272245/more-help-with-self-s...

Funny. I saw this earlier on NPMjs.org and it had 22 upvotes, 0 downvotes. Does it say anywhere why, exactly, it was deleted, or do they just delete anything they don't like?

If you're referring to Disqus comments, they no longer display the downvote count. Which I find pretty obnoxious, but oh well.

Is "moderated" a new euphemism for "deleted" ?

I think they used that term because it went from being visible to "awaiting moderation" before disappearing alogether

Blank page for me? And view source reveals nothing useful. Apparently this is some kind of javascript application and not a web page?

Same here. AngularJS, misused for a content site, strikes again...

It's somewhat amusing to see him brag about how he's a self-sufficient bad-ass that can keep his site running because he doesn't use any hosting services and he wrote his CMS himself, and then when the site doesn't actually stay up he starts backpedaling and saying it's because it's on his home network and he threw the whole thing together in two weeks only spending a few hours each week and making it better isn't really a priority.

"I'm awesome because I built this kick-ass system." "Yes, well, this system isn't working very well." "Well it's not like I tried very hard."

The comment thread on his post is a trainwreck. The guy needs to learn when to shut his mouth. He even comes across as a total hot-head in the description of his last job on his resume. I'd feel kind of bad for him if he wasn't being such an asshole.

The sheer volume of tweets this guy is pumping out is pretty crazy to me. How he has time to focus on anything else I have no idea.

This guy complains about npm's scalability and architecture but is himself not able to structure a single blog post to make it readable.

"I have been free riding on this piece of technology that is completely open and that I, if I were able, could help make better. Instead I'll just be condescending to the people who have spent countless hours of their personal time because something didn't work as I want/understood it to. Go me."

The smallest font I've ever seen on a web page, period.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact