Claiming that users would be confused when installing the Kik package is a bit of a bad excuse. Installing a package without knowing what it is or does is simply nonsensical. There's no way of knowing even _how to use_ the package without looking up information about it beforehand. Anyone seriously installing a software package using a developer tool without knowing anything other than the package's name is a fool.<p>Additionally, the lawyers in question did not seem to want to put a new package online, they simply wanted to take down the existing one. This does not seem to be the intent of the name resolution policy.<p>This was a bad call on the part of the NPM team, and they should reevaluate how they arbitrate these issues.
> <i>npm won’t suddenly take your package name.</i><p>"...unless we do, in which case we will."<p>I wonder at the cognitive dissonance that has to be there to type a thing like this when the entire shit show started with you doing <i>exactly</i> what you're saying you won't do.
"npm did not 'steal' Azer's code."<p>"npm did not <i>respect</i> Azer's code."<p>"This incident did not arise because of intellectual property law."<p>"we believe that a substantial number of users who type npm install kik would be confused to receive code unrelated to the messaging app with over 200 million users."<p>"This incident <i>did</i> arise because of intellectual property <i>policy</i>."<p>"npm won’t suddenly take your package name."<p>"... except when we do"
I like to support people that do things to convey their opinion and protest a decision. Sometimes brazen behavior is warranted to get more attention to your cause. But not in this situation. What Azer did seems like a "knee-jerk reaction" performed mostly out of spite.
In other words: npm Inc says they have done nothing wrong and the only problem is the ability to unpublish versions other people depend on. This matches the way npm employees have been responding to the outrage on twitter yesterday.<p>However there are two causes for outrage here:<p>1. Azer unpublished a module a large number of projects depended on (mostly indirectly via babel, which itself depended on it indirectly via a line numbers package), breaking everyone's installs.<p>2. npm Inc handed over the kik package name used by azer for an actively maintained project to kik Interactive who previously tried to strongarm azer with vague legal threats unsuccessfully.<p>Personally I find #2 far more troubling but if you listen to what npm Inc and its employees have to say it's as if this isn't even worth mentioning.<p>A representative of kik Interactive asked azer for the package name (after having already published their own package on npm under a different name). Azer said no thank you, so the same person responded with an underhanded threat (but no actual legal claim) -- to which azer understandbly responded unfavourably.<p>Then the same person contacted npm Inc with wording that strongly implies he isn't looking for mediation but for npm Inc to do what azer refuses to do -- but with no indication that failure to comply would put npm Inc itself at any legal risk (which the statement now acknowledges although npm Inc employees have indicated otherwise before @ag_dubs clarified). And npm Inc just does exactly that.<p>As far as npm Inc and kik Interactive have been truthful about the exchanges that took place, at no point did npm Inc try to mediate between kik Interactive and azer over the use of the package name or alternate package names and the intended use by kik Interactive.<p>Npm Inc is behaving like a private company here. That's okay and they've done so in the past and repeatedly made it clear that they are a private company and offer the npm public registry as a free service and the npm client as an open source project.<p>However what is not okay is that npm Inc wishes to maintain an exclusive monopoly and special status within the node ecosystem by being an upstream dependency for the node project (the npm project existed before the formation of npm Inc as a private company and the npm registry was only transferred to npm Inc after it had already become the blessed module registry for node).<p>Right now node itself is under the control of the Node Foundation but npm (both the client and the registry) is under the control of npm Inc. The npm client and registry hold a special status within the node project by being shipped alongside node (which has previously resulted in licensing problems when npm Inc made changes to their license without notifying the node project) and being treated as "the" node module registry.<p>This means a non-trivial part of the node ecosystem -- as advertised and spread by the node project -- is under sole control of a private company. Further, npm employees are members of the Node Foundation and influencing it as such -- including Ashley Williams who was elected as a representative for the Node Foundation members despite an obvious conflict of interest (consciously or not) due to her prominent role at npm Inc.<p>It's a clusterfuck and I only see two options:<p>1. npm Inc continues to maintain the registry and client but stops interfering with attempts to replace npm as the authoritative module registry for the node project (leading to the eventual replacement of the registry and client by something under the control of the Node Foundation).<p>2. npm Inc defers arbitration and governance of the public npm registry to a Node Foundation committee (which they may join through the normal ways but hold no special status in), effectively giving control over policies to the Node Foundation (formalizing their special status without giving them as much power over the node project as they currently have).
Some interesting things to note:<p>NPM claims intellectual property issues had nothing to do with their dispute resolution.<p>NPM disregarded Azer's unpublish request by restoring `left-pad@0.0.3` from a backup of Azer's original publishing, <i></i>not<i></i> by repackaging the liberally licensed source.<p>NPM claims the full dispute resolution policy is still in place, yet many of the packages that have been taken over currently have no usable code and/or are being 'squatted' in direct contradiction of that policy.