Namespaces, Intellectual Property, Dependencies And A Big Giant Mess
from the yikes dept
However, a “patent agent” (not a lawyer) at Kik then reached out to Koculu about the possibility of changing the name of his “kik” module, saying:
Azer: We?re reaching out to you as we?d very much like to use our name ?kik? for an important package that we are going to release soon. Unfortunately, your use of kik (and kik-starter) mean that we can?t and our users will be confused and/or unable to find our package.
Can we get you to rename your kik package?
Azer saw that the request came from a “patent agent” and, believing it was an intellectual property lawyer, told him he had no interest in changing the name:
Sorry, I?m building an open source project with that name.
It appears that there were a few initial misunderstandings already here. Both in whether it was a lawyer making the request and with respect to the nature of the request (and that Kik is looking to release its own open source code on npm, rather than just acting like an all-too-typical trademark bully). And it gets worse almost immediately as Stratton responds in exactly the wrong way, by moving to a pretty clearly implied legal threat:
We don?t mean to be a dick about it, but it?s a registered Trademark in most countries around the world and if you actually release an open source project called kik, our trademark lawyers are going to be banging on your door and taking down your accounts and stuff like that???and we?d have no choice but to do all that because you have to enforce trademarks or you lose them.
Can we not come to some sort of a compromise to get you to change the name without involving lawyers? Is there something we could do for you in compensation to get you to change the name?
Bringing up trademark and trademark lawyers at this point is stupid, but depending on how you read this you could see how Stratton actually meant it to be more explanatory, as in “Hey, let’s talk about this,” but it pretty clearly comes off as “Hey, give me what I want… or else big mean lawyers.” And the latter is exactly how Koculu took it, responding: “hahah, you?re actually being a dick. so, fuck you. don?t e-mail me back.”
At that point Kik and Stratton reached out directly to NPM (though along with one more attempt to reach out to Koculu, including offering to compensate him for changing the name — which is actually a reasonable request, if it had come prior to threatening with lawyers), and after reviewing the exchange NPM did something something surprising to many: it decided that Kik was in the right, and handed over the kik name to the company. Here was their email:
I hear your frustration. The desire to continue to use the kik and kik-starter package names, is clear.
Our goal is to make publishing and installing packages as frictionless as possible. In this case, we believe that most users who would come across a kik package, would reasonably expect it to be related to kik.com. In this context, transferring ownership of these two package names achieves that goal. I understand that you?ve committed time and energy to the packages already, and we don?t take that lightly. I?m hopeful that you?ll be able to republish this project with a new name.
Can you provide an npm account to transfer the name to?
Thank you both for your patience and understanding.
Some of this could have been avoided if whatever “arbitration” process there was over handling name conflicts was more out in the open. A lot of people are discussing the trademark law question here, and that seems… premature. Stratton shouldn’t have brought up trademark law in his email, and there’s a reasonable argument that there’s not much of a trademark conflict here, but it’s not totally cut and dried. Either way, there should have been a way to settle it much more amicably, including a more open arbitration process where both sides were able to make their cases, and the process and its possible outcomes were clear. Instead, NPM just sided with Kik and away things went.
Koculu, reasonably upset by this move, removed everything that he had from NPM:
This situation made me realize that NPM is someone?s private land where corporate is more powerful than the people, and I do open source because, Power To The People.
Summary; NPM is no longer a place that I?ll share my open source work at, so, I?ve just unpublished all my modules.
This is not a knee-jerk action. I love open source and believe that open source community will eventually create a truly free alternative for NPM.
The problem came from the fact that a ton of systems relied, either directly or indirectly, on another bit of code by Koculu, called left-pad, and then basically… a ton of stuff on the internet broke. Basically a variety of services either rely directly on the 11-lines of code that is left-pad, or rely on other modules that in turn rely on left-pad. Remove those 11 lines of code and apparently a whole lot of the internet breaks. Koculu did move the code elsewhere, and by just pointing dependencies elsewhere most of this could have been fixed. Or, since it was open source, someone could just… replace left-pad. And that’s what someone did. Another NPM user, Cameron Westland, apparently replaced left-pad, with a higher version number, which is allowed when a project has been unpublished. However, since some of the dependencies directly pointed to the specific version number of left-pad, things were still broken and NPM took the “unprecedented” step of giving the new left-pad back the old version number (0.0.3) and stuff stopped breaking (for now).
And since then… everyone’s been yelling at each other. Some more reasonably than others. So, a few thoughts on all of this:
- The trademark thing: Lots of people are focusing on this, but it’s kind of a red herring. No trademark lawyers were ever actually involved. However, to me, it’s much more a condemnation of the idiotic ways in which trademark law (not to mention copyright and patent law) are so frequently abused in the tech space and beyond. So many in the tech community are quite reasonably primed to be outraged at stupid trademark bullying because it happens all the time, that it’s no surprise that Koculu’s instinctual reaction is that this was what was happening to him. The fact that Kik had a patent agent (why?!?) contact him, and then that patent agent brought up trademark in a threatening way, only confirmed Koculu’s initial reaction. Kik should have handled that much better.
- NPM’s dispute process: Since it operates the platform, it has every right to make decisions on how the platform is used and how it handles namespaces. However, with that power comes plenty of responsibility, if it wishes to maintain the trust and support of the developers who use it. Making decisions with little transparency or without a clear and open process is going to lead to results like this. NPM didn’t appear to attempt to arbitrate the dispute or to even calm down the initial exchange. It just decided one way with very minimal explanation and no indication that the process could be appealed or disputed.
- On “code stealing”: Some have argued that NPM “stole” Koculu’s code or that it just gave it to another person to maintain, but that’s wrong. The code was open sourced, so it could be reused. The only question was around allowing that code to have the original version number, which again gets back to a trust issue. As Sven Slootweg pointed out, the implications here could seriously undermine trust:
Then the next disaster struck, once people realized that not only could Kik (the company) push whatever code they wanted as a patch version to existing users of the
kiklibrary… but anybody could register any of the other now-removed NPM packages, and do the same thing.
This is a security issue so significant, that I can’t believe it even happened. Had a malware author scooped up
left-pad, for example, they could have infected potentially thousands to millions of users with a single
publish. In fact, that still might happen – because who is nj48 anyway?
This really cannot ever, ever, ever be allowed. Global namespace or not, once an identifier has been used and removed, it should not ever be possible to reassign it to anything else.
Another potential solution for this, which should be perfectly legitimate with open source code is that if you’re publishing it as a package that can be a dependency, it can’t be removed. The developer can abandon it or move on, but they shouldn’t be able to delete the code. That, alone, was a big part of the problem here.
- Careful who you depend on: Really, the biggest thing that stood out to me in all of this is the house of cards of different dependencies that creates layers upon layers of interdependencies that many people don’t even realize exist. Pulling one little 11-line bit of code out of a package manager could bring parts of the internet to its knees. That’s ridiculous on multiple levels. David Haney had a great post on all of this asking if people had forgotten how to code that they’re now relying on dependencies for very simple functions like left-pad:
…even if the package?s logic is correct, I can?t help but be amazed by the fact that developers are taking on dependencies for single line functions that they should be able to write with their eyes closed. In my opinion, if you cannot write a left-pad, is-positive-integer, or isArray function in 5 minutes flat (including the time you spend Googling), then you don?t actually know how to code. Hell, any of these would make a great code screening interview question to determine whether or not a candidate can code.
Finally, stringing APIs together and calling it programming doesn?t make it programming. It?s some crazy form of dependency hacking that involves the cloud, over-engineering things, and complexity far beyond what?s actually needed.
What?s worse is that if any of your code (or the 3rd party library code) has a bug or breaks, you won?t know how to debug or fix it if you don?t know how to program.
He’s right that people “outsourcing” such simple functions to packages seems ridiculous, but to me the bigger issue is why so many did so as a dependency. I’m less concerned about people reusing code (which can be a good thing), than the fact that so many set these things up to be dependent on other code they had no control over. I get the value of modular systems and the ability to string together stuff, but when important code is totally reliant on layers upon layers of third parties, that seems ridiculous. If you want to reuse the code, why not just bring the code into your program, rather than making a dependency on something so basic? Obviously, many of the systems that relied on left-pad didn’t even realize they were doing so, as they relied on other systems that had a dependency on left-pad, so the problem was “downstream,” so to speak. But, still, if you’re going to rely on dependencies, it seems like you should recognize just how fragile the house of cards you’re relying on may be.
The open source world is great and powerful, and the rise of package managers and code repositories is also great. But people should be aware of what they’re relying on when they build their systems, and how quickly it might fall apart. Oh, and trademark bullying is lame.