Namespaces, Intellectual Property, Dependencies And A Big Giant Mess

from the yikes dept

There's been a bit of a mess in the programming world, the past few days, that you may have missed if you don't pay close attention to certain circles of the internet, but it's fascinating on a number of different levels. The mess began when people at the messenger app Kik, realized that someone else, a guy named Azer Koculu, had a module on NPM named "kik." Some background: NPM stands for Node Package Manager -- and that's exactly what it is: a package manager/repository for programmers to share and reuse javascript code, useful for folks using node.js (a server side javascript environment). This is a good thing as it allows for fairly easy opportunities to share code and build on the work of others without having to reinvent the wheel.

However, a "patent agent" (not a lawyer) at Kik then reached out to Koculu about the possibility of changing the name of his "kik" module, saying:
Azer: We’re reaching out to you as we’d very much like to use our name “kik” for an important package that we are going to release soon. Unfortunately, your use of kik (and kik-starter) mean that we can’t and our users will be confused and/or unable to find our package.

Can we get you to rename your kik package?

Bob Stratton

kik Interactive
Azer saw that the request came from a "patent agent" and, believing it was an intellectual property lawyer, told him he had no interest in changing the name:
Sorry, I’m building an open source project with that name.
It appears that there were a few initial misunderstandings already here. Both in whether it was a lawyer making the request and with respect to the nature of the request (and that Kik is looking to release its own open source code on npm, rather than just acting like an all-too-typical trademark bully). And it gets worse almost immediately as Stratton responds in exactly the wrong way, by moving to a pretty clearly implied legal threat:
We don’t mean to be a dick about it, but it’s a registered Trademark in most countries around the world and if you actually release an open source project called kik, our trademark lawyers are going to be banging on your door and taking down your accounts and stuff like that — and we’d have no choice but to do all that because you have to enforce trademarks or you lose them.

Can we not come to some sort of a compromise to get you to change the name without involving lawyers? Is there something we could do for you in compensation to get you to change the name?

Bob Stratton

kik Interactive
Bringing up trademark and trademark lawyers at this point is stupid, but depending on how you read this you could see how Stratton actually meant it to be more explanatory, as in "Hey, let's talk about this," but it pretty clearly comes off as "Hey, give me what I want... or else big mean lawyers." And the latter is exactly how Koculu took it, responding: "hahah, you’re actually being a dick. so, fuck you. don’t e-mail me back."

At that point Kik and Stratton reached out directly to NPM (though along with one more attempt to reach out to Koculu, including offering to compensate him for changing the name -- which is actually a reasonable request, if it had come prior to threatening with lawyers), and after reviewing the exchange NPM did something something surprising to many: it decided that Kik was in the right, and handed over the kik name to the company. Here was their email:
Hi, Azer.

I hear your frustration. The desire to continue to use the kik and kik-starter package names, is clear.

Our goal is to make publishing and installing packages as frictionless as possible. In this case, we believe that most users who would come across a kik package, would reasonably expect it to be related to kik.com. In this context, transferring ownership of these two package names achieves that goal. I understand that you’ve committed time and energy to the packages already, and we don’t take that lightly. I’m hopeful that you’ll be able to republish this project with a new name.

Bob,

Can you provide an npm account to transfer the name to?

Thank you both for your patience and understanding.
Some of this could have been avoided if whatever "arbitration" process there was over handling name conflicts was more out in the open. A lot of people are discussing the trademark law question here, and that seems... premature. Stratton shouldn't have brought up trademark law in his email, and there's a reasonable argument that there's not much of a trademark conflict here, but it's not totally cut and dried. Either way, there should have been a way to settle it much more amicably, including a more open arbitration process where both sides were able to make their cases, and the process and its possible outcomes were clear. Instead, NPM just sided with Kik and away things went.

Koculu, reasonably upset by this move, removed everything that he had from NPM:
This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People.

Summary; NPM is no longer a place that I’ll share my open source work at, so, I’ve just unpublished all my modules.

This is not a knee-jerk action. I love open source and believe that open source community will eventually create a truly free alternative for NPM.
The problem came from the fact that a ton of systems relied, either directly or indirectly, on another bit of code by Koculu, called left-pad, and then basically... a ton of stuff on the internet broke. Basically a variety of services either rely directly on the 11-lines of code that is left-pad, or rely on other modules that in turn rely on left-pad. Remove those 11 lines of code and apparently a whole lot of the internet breaks. Koculu did move the code elsewhere, and by just pointing dependencies elsewhere most of this could have been fixed. Or, since it was open source, someone could just... replace left-pad. And that's what someone did. Another NPM user, Cameron Westland, apparently replaced left-pad, with a higher version number, which is allowed when a project has been unpublished. However, since some of the dependencies directly pointed to the specific version number of left-pad, things were still broken and NPM took the "unprecedented" step of giving the new left-pad back the old version number (0.0.3) and stuff stopped breaking (for now).

And since then... everyone's been yelling at each other. Some more reasonably than others. So, a few thoughts on all of this:
  1. The trademark thing: Lots of people are focusing on this, but it's kind of a red herring. No trademark lawyers were ever actually involved. However, to me, it's much more a condemnation of the idiotic ways in which trademark law (not to mention copyright and patent law) are so frequently abused in the tech space and beyond. So many in the tech community are quite reasonably primed to be outraged at stupid trademark bullying because it happens all the time, that it's no surprise that Koculu's instinctual reaction is that this was what was happening to him. The fact that Kik had a patent agent (why?!?) contact him, and then that patent agent brought up trademark in a threatening way, only confirmed Koculu's initial reaction. Kik should have handled that much better.
  2. NPM's dispute process: Since it operates the platform, it has every right to make decisions on how the platform is used and how it handles namespaces. However, with that power comes plenty of responsibility, if it wishes to maintain the trust and support of the developers who use it. Making decisions with little transparency or without a clear and open process is going to lead to results like this. NPM didn't appear to attempt to arbitrate the dispute or to even calm down the initial exchange. It just decided one way with very minimal explanation and no indication that the process could be appealed or disputed.
  3. On "code stealing": Some have argued that NPM "stole" Koculu's code or that it just gave it to another person to maintain, but that's wrong. The code was open sourced, so it could be reused. The only question was around allowing that code to have the original version number, which again gets back to a trust issue. As Sven Slootweg pointed out, the implications here could seriously undermine trust:

    Then the next disaster struck, once people realized that not only could Kik (the company) push whatever code they wanted as a patch version to existing users of the kik library... but anybody could register any of the other now-removed NPM packages, and do the same thing.

    This is a security issue so significant, that I can't believe it even happened. Had a malware author scooped up left-pad, for example, they could have infected potentially thousands to millions of users with a single publish. In fact, that still might happen - because who is nj48 anyway?

    This really cannot ever, ever, ever be allowed. Global namespace or not, once an identifier has been used and removed, it should not ever be possible to reassign it to anything else.

    Another potential solution for this, which should be perfectly legitimate with open source code is that if you're publishing it as a package that can be a dependency, it can't be removed. The developer can abandon it or move on, but they shouldn't be able to delete the code. That, alone, was a big part of the problem here.
  4. Careful who you depend on: Really, the biggest thing that stood out to me in all of this is the house of cards of different dependencies that creates layers upon layers of interdependencies that many people don't even realize exist. Pulling one little 11-line bit of code out of a package manager could bring parts of the internet to its knees. That's ridiculous on multiple levels. David Haney had a great post on all of this asking if people had forgotten how to code that they're now relying on dependencies for very simple functions like left-pad:
    ...even if the package’s logic is correct, I can’t help but be amazed by the fact that developers are taking on dependencies for single line functions that they should be able to write with their eyes closed. In my opinion, if you cannot write a left-pad, is-positive-integer, or isArray function in 5 minutes flat (including the time you spend Googling), then you don’t actually know how to code. Hell, any of these would make a great code screening interview question to determine whether or not a candidate can code.

    Finally, stringing APIs together and calling it programming doesn’t make it programming. It’s some crazy form of dependency hacking that involves the cloud, over-engineering things, and complexity far beyond what’s actually needed.

    What’s worse is that if any of your code (or the 3rd party library code) has a bug or breaks, you won’t know how to debug or fix it if you don’t know how to program.
    He's right that people "outsourcing" such simple functions to packages seems ridiculous, but to me the bigger issue is why so many did so as a dependency. I'm less concerned about people reusing code (which can be a good thing), than the fact that so many set these things up to be dependent on other code they had no control over. I get the value of modular systems and the ability to string together stuff, but when important code is totally reliant on layers upon layers of third parties, that seems ridiculous. If you want to reuse the code, why not just bring the code into your program, rather than making a dependency on something so basic? Obviously, many of the systems that relied on left-pad didn't even realize they were doing so, as they relied on other systems that had a dependency on left-pad, so the problem was "downstream," so to speak. But, still, if you're going to rely on dependencies, it seems like you should recognize just how fragile the house of cards you're relying on may be.
The open source world is great and powerful, and the rise of package managers and code repositories is also great. But people should be aware of what they're relying on when they build their systems, and how quickly it might fall apart. Oh, and trademark bullying is lame.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: azer koculu, dependencies, kik, left-pad, modules, namespaces, node.js, npm, open source, threats, trademark
Companies: kik, npm


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That Anonymous Coward (profile), 26 Mar 2016 @ 4:33am

    Because we have IP we get all the things we want. This is the message that has been sent.
    Rather than contact the coder and explain 'We'd really like to acquire the name from you. See we have an app called kik so we'd really like to get the name for something we are planning on publishing. I know this is a big hassle, but we have $X to offer to offset the hassle. Would you be interested?'
    They went from the place of we own the IP and we are going to make demands of an open source coder and play right into the entire stereotype. Then the playground monitor decided that bowing to a corporation ASAP was the right play to avoid hassles, ignoring that the shockwave that would be generated by giving the appearance of caring more about corporate interests over those who actually use the playground.

    There are people who are pissed that the coder pulled his code, one might assume because it broke something for them. The message is you can't be offended, take your ball, and go home even after people shit on you. Of course when something happens to them, they will be SHOCKED that other people will tell them you can't be offended, take your ball, and go home even after people shit on you.

    I expect that this little kerfluffle is going to change some things, and maybe not in a way that will benefit NPM. The changing and reassigning numbers so some people might be unaware there was a change will bite them. Recent memory has a story about some tool who acquired some popular WP plugins & inserted code to make him his very own backdoor and ship the passwords to his server. People didn't notice the authorship got changed right away & were getting burned because people just expected a thing with the right name was the same as the thing they always used.

    The model of a central place to get things has gotten a couple of black eyes out of this, and once people stop being pissed at the coder & look at what happened & how there are plenty of points where it went sideways.

    Also is anyone really curious to see what kik is going to publish, and if it is a worthless piece of uselessness but at least it let them get their name out there.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.