Pocket reposted an older QZ article about Leftpad and it’s sort of reignited the controversy, at least for me.

Here’s the link.

I’d love to hear what you think of this, but here are my thoughts:

One, why is this not in the JS standard library? It’s a super commomly used method with equivalents in every programming language, right? JS is pretty notorious for being bloated (which isn’t necessarily a bad thing IMO), but the fact that it lacks this basic function is kind of ridiculous?

Two, people were calling him out as the villain for having the audacity to delete a method he knows powers most of the internet, and to those people I ask: Have you even looked into why that happened? The most common story was just that he was butthurt because “NPM didn’t treat him like royalty like he wanted”, but, what actually happened was Kik, yes, the messaging platform notorious for being infested with child groomers, that Kik, wanted to publish their own library (I think it was an API for their app), and Koçulu already had a library called kik. So what does Kik do? Are they like any other programmer who would go “aw man, that name is taken, better come up with another name for my thing then!” No! They go to fucking NPM and essentially allege trademark violation (which is bullshit because Koçulu’s kik was not a commercial product, and trademarks only apply to names used in commerce). But NPM still removes Koçulu’s kik package, at which point Koçulu removed all his libraries and deletes his account in protest, and the rest is history. Long story short, it ends with NPM restoring his packages against his wishes, and as far as I know he never released anything on NPM again.

So, generally I see two hiveminds when it comes to this controversy. One is of course people mocking Koçulu for being a snowflake or whatever, that he needs to control his anger and not withdraw his packages because he didn’t get his way. Obviously, I disagree with that. I think Kik was being a snowflake for throwing a hissy fit that their name was already taken for something completely unrelated, by someone who almost certainly did not even use their app. They could have named their library kik-chat, kik-app, kik.com, whatever, and it still would have been the same library and people still would still have discovered it. NPM claims that they did this to “reduce confusion”, but at best that is massively underestimating the intelligence of people who already know how to program, and is a complete lie cooked up by their PR team at worst. Needless to say, I don’t think he was in the wrong at any point of this.

The other hivemind was really mad at NPM, which is a step in the right direction, but they were mad that they restored his package. That makes no sense either, because one of the pillars of open source is that anyone can publish or distribute it as long as they distribute it with the original license and give credit. NPM is an asshole, but they still have the right to distribute an open source library. What we should be mad at NPM for is that they threw him under the bus by removing his package in the first place. Again, Kik has no legs to stand on and NPM was never in any legal trouble because of this, trademarks do not apply to non-commercial products. They’re called trade marks. Trade. As in commerce. Also, it really highlights their priorities that they hold a corporation infamous for enabling children to be victimized in higher regard than someone making code used by the entire internet and not getting paid for it. I also don’t see enough people being mad at Kik. What they did was absolutely unacceptable and they should have faced the brunt of the hate. Then again they’ve already shown themselves to be horrible so they probably would have shrugged it off or maybe even played into it for publicity.

What can the open source world learn from this? Well, for one, I think it has become clear that having your open source dependencies managed by a for-profit company is bad. I wouldn’t be surprised if Kik paid NPM a ton of money and essentially “bought” the kik name like a fucking NFT. The solution would be a combination of package repositories managed by worker co-op nonprofits with transparent financial reports, and decentralized/independent package sources hosted by the authors themselves. If JS took inspiration from Java just a bit more and also made their dependency naming system work by domains, we would have gotten com.koculu.kik and com.kik.kik, and no conflict. Almost like a federated package manager. Especially now that NPM is owned by Microsoft and Yarn was always owned by Facebook, we really do not have a good, trustworthy JS dependency repo, which is a problem because like the language or hate it, it is still extremely important for our modern computing environment. I think it’s long overdue to break their duopoly.

IDK, that’s the end of my rant. Didn’t really mean to write a wall of text, just saw this article and got me wanting a retrospective, but yeah. What do you think? Do you agree? Disagree? Why or why not?

  • @[email protected]
    link
    fedilink
    English
    21 year ago

    I don’t really care about mediocre developers infightings. Bad dev chose to depend on 3rd party code because they are not good enough to code a left pad function. Bad ecosystem is being used by said mediocre devs…

    I don’t need all of this to make my web application. If tomorrow npm is dead I can switch or even code an equivalent myself. I keep my dependencies at minimum and use tools and library such as npm as ways of doing things faster. Not doing things I don’t understand/can’t do myself.

    If people dislike npm ways of doing they can easily code a better one. Actually several alternatives exist.

    If you have security concerns you can had additional check such as inhouse code review of packages and save hash of said version. You could even share this knowledge with trusted partners in a common database.

    We have other issues were laws (patent) or economic system (entrepreneurship) is a real barrier to better solutions. My point of view of this matter is that it is mainly a lack of skills and bad culture.

    • Helix 🧬
      link
      fedilink
      English
      11 year ago

      My point of view of this matter is that it is mainly a lack of skills and bad culture.

      Amen!

    • @[email protected]OPM
      link
      fedilink
      English
      1
      edit-2
      1 year ago

      I’m still manually doing HTML includes for jQuery and Bootstrap. Not from CDNs either, I download the files to my repository with the correct license and attribution notices and host them on the same static file server as all my custom assets. It’s really not hard to do and also means your website has one less tracker for users to worry about (yes CDNs track you, even the ones that swear they deliver files anonymously because how exactly do you plan on proving that they actually deliver files anonymously).

      Also, never really found PWA frameworks any better than good old jQuery and Bootstrap, so yeah I still use those two. This also mean my webpages do not require JS to load, making them lighter, more compatible with legacy browsers, as well as working most of the way with JS disabled if the user is not comfortable with allowing JS from some rando’s blog (which, as a rule, users shouldn’t be).