Although that statement is clearly a gross over-simplification (and exaggeration), the event has raised some very serious question about how “modern” web applications are being architected. Before I dive into my thoughts on the subject, let’s revisit three important posts:
- Azer Koçulu’s post explaining why he un-published 273 npm packages
- Kik responds with their side of the story
- npm responds with their side of the story
TL;DR — Kik (the company) wanted the existing module name “kik” (which Azer owned) and npm unilaterally decided who won the dispute (spoiler: it was Kik). In protest, Azer removed all 270+ of his modules from npm — breaking literally thousands of npm dependency chains in an instant.
Here are some quick thoughts and opinions about what happened.
npm: Probably the right decision, but for the completely wrong reasons
This may be an unpopular opinion, but I think Kik has every right to defend/enforce their trademarks — not because I particularly agree with Kik, but because I believe that trademarks exist for a reason. I’m certainly not a lawyer, and honestly I know very little about trademark law. But based on what I have read, it seems to me that Kik would likely have won this decision in a court of law. Therefore npm probably made the correct decision to grant ownership of the module — but they did so without the proper legal justification.
What I find most interesting is that the npm dispute document (linked from their post, listed above) does not say the word “trademark” in it anywhere. “Copyright” is as close as it gets, but as I understand US law copyrights and trademarks are very different things. Twitter has a similar document for managing disputes, in which they are very explicit about resolving trademark disputes:
When we determine that an account appears to be confusing users, but is not purposefully passing itself off as the trademarked good or service, we give the account holder an opportunity to clear up any potential confusion. We may also release a username for the trademark holder’s active use.
For me, a member of John Q. Public, this seems pretty open-and-shut.
However, I am a bit disturbed that npm would do anything when a company is threatening legal action against one of their users. I haven’t read all of the npm terms of service, but they completely threw Azer under the bus. From that perspective, I don’t blame him for abandoning npm completely.
My opinion here is that npm should have told Kik to move ahead with their legal process. npm would have to comply with a court order stating that Kik’s trademark was being violated by Azer — but I don’t believe that (in this case) npm had the legal expertise to make that decision on their own.
If I Were Azer, What Would I Have Done?
I don’t know Azer personally, nor have I even really known about him before this week. This whole situation makes me wonder if any of his packages are (were?) dependencies of mine, though I haven’t noticed anything broken yet. I do have an npm package of my own, and I’ve been involved in OSS for a long time — but it sounds like Azer can boast about much more in that arena than I ever can.
Having said that, my gut reaction is that his decision to unpublish 270+ modules was rash at best and malicious at worst. Azer’s post (linked above) clearly states that his decision was “not knee-jerk action”… I guess I just don’t believe that, but I’m not here to pile judgement onto someone I have never met.
What would I have done if I were in his shoes? Honestly I’m not 100% sure because it’s clear to me based on the things I’ve read that emotions were very high. If I were to hold true to my core values, I would like to think I would have acted differently. Let’s explore that rationale.
The world needs great OSS maintainers like Azer, and his time is to be valued — but Azer knew damn well what yanking 270+ modules off npm would do. He knew a LOT of other people’s code would break. He may have felt like he was sticking it to npm, but mostly he wasted a LOT of other people’s time.
I take my career and my reputation very seriously — which is why “accountability” is one of my core values. If I say I’m going to do something, I do it. If I break something, I fix it.
I don’t know exactly how I would respond to npm‘s decision if I were in Azer’s shoes, but I know that I would not have removed all my code from npm. It immediately feels like the wrong decision.
From the email chain I read in Kik’s response (link above), I absolutely agree that Kik was threatening Azer with legal action. The “casual” language from Kik in those messages is appalling given the clear legal implications they insinuate.
Azer’s response in those messages (assuming Kik’s blog post is factual) is equally appalling. If there is one thing I’ve learned in business it’s that being confrontational gets you absolutely nowhere. Calling someone a “dick” and telling them “fuck you” accomplishes nothing — it only strengthens your opponent’s resolve.
What would I have done if I were in his shoes? I would have chosen my words far more carefully, and probably called Kik’s bluff to pursue legal action.
I have heard some of Azer’s defenders applaud him for sticking to his values — again, I don’t know him so I don’t know how much that’s true.
In any case I feel horrible for Azer. Not only did some company demand ownership of something he has worked hard on (i.e. the name/brand of the work, not necessarily the work itself), but his name is being tossed around on the internet on blogs like mine as we all dissect the events. I certainly want more people in the industry to know about me; but I’d rather an event like this not be the reason why.
I have high expectations for myself — but I also hold the rest of the world to high expectations. Frequently I am disappointed, as I am with the actions of npm in this case.
NOTE: I don’t believe Azer had the foresight to know just how big a stink would be raised if he unpublished his code. If I’m wrong about that, and Azer knew this would blow up to the epic proportion is has — then it was a brilliant protest that might well accomplish that end. But based on his post (linked above), I don’t believe that to be true.
There’s nothing fun about this situation.
I certainly would have explored how Kik would “compensate” me for my troubles.
npm is a House of Cards
- When you install a dependency from npm, you also install a clusterfuck of its dependencies and its dependencies’ dependencies (and it’s turtles all the way down). Far too few people seem to care about those implications.
- Installing npm dependencies means you’re downloading a ton of code you don’t actually need — things like tests, documentation, binaries AND minified source AND non-minified source, etc
- Installing all of that shit makes downloading things take longer and wastes disk space
- There really isn’t any existing mechanism to compile and deploy applications build on top of a stack of npm dependencies. When you deploy a NodeJS application these days, most people blindly deploy all of the raw content contained in their npm dependencies. Ugh.
- Package scripts in npm modules could easily be malicious, and developers running npm install are extremely vulnerable
The article is a fantastic read, but it also ignores other major problems with npm specifically:
- Package namespaces don’t exist; this entire problem with Azer and Kik would have been solved if it did.
- The ability to un-publish packages in its current form clearly shouldn’t exist.
Kik has the right to defend their trademarks, but I’d say that “Bob” (their patent agent) needs to work on his bedside manner. I don’t know how he expected this situation to unfold given the language in his emails; tech companies already have poor reputations (diversity, pay-equality, gentrification, etc) and it’s completely unacceptable for anyone representing a tech company to treat people like this. If Bob (and by proxy, Kik) “doesn’t want to be a dick” then don’t be a dick — nobody likes receiving legal documents, but there’s a reason why they’re formal.
npm gets nearly all of the blame here, in my opinion. I don’t buy their rationale for making their decision, and their blog post explaining their rationale was devoid of any empathy for Azer. I am disappointed and frustrated that the company at the epicenter of web development in 2016 would react the way they did — but more importantly I’m bewildered that this situation could even happen in the first place. Infrastructure is supposed to “just work”, and the details in this case make it clear that npm is not holding true to their vision of software development.