TL;DR: A patent and trademark agent and NPM bullied an Open Source Dev, so the Dev deleted his code from NPM as is his right. The internet broke. NPM restored the code against the dev’s wishes. Corpos win…as always.
I’d say the bigger issue was people live-linking to the files rather than downloading and using a version controlled copy they can control.
They don’t teach about Configuration Management in web-dev bootcamp
They don’t teach about Configuration Management in web-dev bootcamp
Ha! Bullshit like configuration management, memory management, optimizing compilers, all obsolete technology! We don’t need that anymore with modern web browsers now that every single computer ever is connected to the Internet, and now that we have AI to write code for us!!! JavaScript is the one true language!
(sarcasm)
I love how it broke React.
“Bullied”? I mean, the open source app the trademarker wanted to replace wasn’t popular either, and I don’t see how the heck “kik” could be related to something for creating templates. Neither do I see it for messaging, but that is a trademark.
In this case, we believe that most users who would come across a kik package, would reasonably expect it to be related to kik.com.
IMO, the dev was the asshole in that case.
Not in my book. They asked him if he would rename his package, he replied sorry but I’m building a project with this name, and they replied that they were going to send lawyers to do takedowns if he would release his project. This would also rub me the wrong way. Also, the dev was already working on the package before the kik company ever came to NPM. Why would he have to give up on the name for his project?
Because not enforcing a trademark means potentially losing the trademark. Not saying that makes it right, IMHO the system just sucks.
For United States trademarks, not necessarily. You don’t have to enforce the trademark to keep it; you just have to renew it on time.
The problem with not enforcing the trademark is that it opens the term up to genericization (for example, referring to all types of tissues as Kleenex). Genericization will cause a company to lose the trademark.
I don’t think kik was worried about that. It’s more likely they were bullying the guy into giving up the package name.
I’m not sure you are right. There seem to be an awful lot of lawyers phrasing it less clearly.
Trademarks require constant vigilance. The moment you let your guard down, there’s a chance that someone else might swoop in and use your trademark without permission. This unauthorized usage could lead to confusion among customers and weaken the association between the trademark and the company it represents. Therefore, defending your trademark should be a top priority.
This might be done on purpose of course to attract clients.
I don’t think kik was worried about that. It’s more likely they were bullying the guy into giving up the package name.
That might be true regardless of copyright law :)
It’s been a few years since I dug through trademark law trying to find an answer to this question, but from my understanding, as long as the trademark isn’t abandoned, doesn’t become genericized, and is renewed, it doesn’t have to be strictly enforced through litigation.
You only really need to enforce your trademark when there’s a chance of it causing confusion about whether goods produced by some other party are actually produced by the trademark holder (which is the scenario your quote is talking about). Take “Apple,” for example. I can’t sell any software or electronics with the name “Apple” on it without infringing on Apple, Inc.'s trademark, but I can sell “Farmer Tim’s Golden Delicious Apples” without issue. If Apple tried to enforce their trademark on a box of apples, they wouldn’t be successful. If they tried to enforce their trademark on Tim Apple’s iJuicer Pro, they probably would succeed.
Anyway, I think a lot of the confusion about this comes from trademark law being oversimplified into the phrase “use it or lose it.” That’s strictly true when it comes to actually using the trademark, but it’s not actually a requirement to liberally enforce it.
That might be true regardless of copyright law :)
A sad truth. You don’t need to win when you can bury your opposition in legal costs (or threats of).
I just had a thought: is it legal for lawyers to say half-truths to get clients to use them more and thus earn more money?
Thanks for your reply. I’m inclined to believe you, as it seems more likely that this was a case of corporate bullshit and not a case of “alas, our hands are tied”.
The dev could claim something like “prior art”, or whatever the alternative is for software. Suppose I trademark the name “is-odd” for a company, should NPM now hand me the “is-odd” package name? This would surely break the internet in the same way is an this case.
But see, that’s the thing. Trademark isn’t formally granted or applied for. It has to be for an established thing that has common name recognition like kleenex or band-aid. The purpose behind this is to give legal recourse for someone to defend their brand. In order to trademark ‘is-odd’, you would have to be able to show that people (society in your country really) use is-odd to refer to a class of thing you do/make/own. You could argue that Twitter as a trademark still belongs to the ass who runs the company (by extension) because everyone insists on calling it Twitter. The expression of Twitter now has no bearing on where the trademark lies, if it exists in the first place. That would be copyright.
Now, I agree that the system is dumb, but npm should also have infrastructure in place to enable renaming so that if a case comes about where a package is renamed, that doesn’t break the internet.
Like NPM said, I’d expect a package named kbin to be about kbin.social, not e.g. some random recycling app. The company wants to open source their stuff. That’s great! And then, kik a bit selfishly doesn’t want some package with only 1 star and 3 watches to confuse the 5 people who would want to look at the source code. NPM doesn’t conflate versions between different packages formerly published under the same name, so virtually no harm done to existing users. People who want Kik’s code would get to find Kik, and people would still be able to use the renamed project. I don’t see a reason for the dev to hold on to their Kik name when it would do a slight bit of harm.
Though, maybe that’s not how it turned out. NPM later took over Kik’s package again as a security holding to this day, and whatever you think, it’s not a good reaction to unpublish all your popular packages, causing massive code breakage around the world and Facebook going up in flames, prompting the world to reevaluate dependency chains and the world’s dependency on JavaScript- that sounds kinda nice, actually, so maybe I’m glad this happened.
(also, he already released it)
I get that, but suppose you start a package on NPM named “bronk”. Sometime later someone starts a company with that name. Should you just be forced to give up your package name, just because people suddenly associate the name with the company?
Azer’s repository for his package was made five years after Kik Messenger was released.
Hard disagree. I took much delight in watching the internet collapse when he deleted HIS PROPERTY.
We’re not talking about the effects; we’re talking about the cause.
Kik, as in “kickstart”. Makes sense for templating.
Still, Kik could have easily named their package “kik-messenger” or something. Would have been much clearer.
Ah, that makes a lot of sense.
deleted by creator
Original article not via pocket: https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code
It’s the left-pad npm incident, it was a big news back than, it has its own section on wikipedia: https://en.wikipedia.org/wiki/Npm#Dependency_chain_issues
I always reel in horror when projects have tiny, ‘negligible to implement yourself’ functions like these as dependencies. See also: is-even 🙄
Edit:
is-even
has a dependency onis-odd
which has a dependency onis-number
. 🤦♂️I think
is-odd
is intentionally a reference to / satire ofleftpad
It was created in 2014, 2 years before the leftpad incident, when a user was learning JavaScript. They now have over 350k downloads per week.
However, https://github.com/slmjkdbtl/is-is-odd/issues/4 is a wonderful work of satire.
Used in
is-ten
. Genius
JavaScript is a dangerous shitshow for this exact reason. Dependencies are a security and stability nightmare.
Eh, I’d say any language that offers a package repository is just as susceptible. I’m neither pro- nor anti- dependency, but I do always try to keep them to an absolute minimum regardless of what environment I’m working in. Sometimes it makes sense to not reinvent the wheel.
Yes, but other languages have exponentially fewer packages that install when you add something, making the attack vector smaller and easier to monitor.
The best way to fix this is for library authors to avoid installing as many sub-dependencies as possible (is-odd, being an obvious example). But that’s a fundamental culture problem.
This is why I only code in Assembly. /jk
And the whole implementation of is-number which is at version 7.0.0:
module.exports = function(num) { if (typeof num === 'number') { return num - num === 0; } if (typeof num === 'string' && num.trim() !== '') { return Number.isFinite ? Number.isFinite(+num) : isFinite(+num); } return false; };
The node.js ecosystem has always been madness.
At this point it’s just a joke. Is there a npm for console log? I’ll have to check.
I can’t even…
Yes you can, just don’t odd
Created by the organization “i-voted-for-trump”
Lol, I saw that. If you go to their main page, it’s explained that it’s a joke.
Yeah, Trump didn’t even exist in 2014!
/s
he never did
Hah, even!
The only part of the story that I’m pissed at is NPM corporation restoring content on their server that they didn’t own and published it to millions for profit.
Koçulu removed left pad. It was his code.
Can you imagine the lawsuits if when Disney pulled the license for Avengers on Netflix, Netflix responded with:
“Millions of customers got errors that Marvel Avengers is missing. So we put Avengers back on our servers.”
You can’t have copyright protection on something so simple.
Depending on the license it is published under, you sure can.
11 lines of code shouldn’t be a package.
you should see the “is_odd” package…
it’s like, return (num%2)? true:false
People using this deserve that their code breaks. Absolutely ridiculous.
Neither this, nor the leftpad thing, nor this is-even “package” are things I would even think about for a second before just writing it on my own. I wouldn’t even consider those features (let alone packages to depend my code on!) but basic programming.
Problem is when you accidentally pull it in as a transitive dependency…
Yeah :( This also is why such nonsense “breaks the Internet” …
i just don’t see how npm is letting this happen…
im going to write an npm module called “true” that just returns true…… and that has 4 dependencies on it’s own!
deleted by creator
well although 1 evaluates as true and zero as false, it’s not the same thing…
so yes, i did…
at which point do you blame the language for not implementing it natively?
I mean, does any language implement
is_odd()
natively? Doesn’t everyone implement modulus and pretty much assumes that you remember modulus from elementary and can infer that even numbers are those wherex % 2 == 0
.Isn’t %2 already native?
(BTW this thing failed JavaScript so hard ECMA immediately included it in that year’s standard)
at which point do you blame the language for not implementing it natively?
Erm … What more native than
number % 2
do you want to have it?2.is_even()
(I don’t know, if this is possible in JS.)
Let’s call the number variable just
x
, you then have literal math (Euclidean division) if you ignore===
instead of=
for equals.x % 2 === 0
This can’t get better or more native than “just math”. This is the whole code you need to detect if a number is even. I wouldn’t even call it “code”.
If you remove whitespaces and ignore the type you end up with x%2==0 which is 6 characters long and a fully valid
if
clause. No magic involved, no abstraction, no weird function calls on integers …I see that in modern JS this type of coding is a trend, but you can’t tell me you want to replace 6 characters with an own module or a package. :)
No, I want that in the std lib. Yes, it would just call
x % 2 == 0
underneath. But the advantage is readability. I’m in principle aware thatx % 2 == 0
is true when the number is even, but I need it seldomly enough that I do still need to think about it for a second before I know for sure. I don’t need to think aboutx.is_even()
. And the readability is what I want natively, i.e. in the std lib.It being in the std lib would also sidestep your concerns about security or the function call having unknown side effects.
at 200k weekly downloads, i blame npm for allowing it…
https://www.npmjs.com/package/is-evenhttps://www.npmjs.com/package/undefined
What do you think about this package? 14,000 weekly downloads…
now i understand why people would call code “beautiful” and “elegant”
…
this here is a true work of art
and that’s still too verbose. it should be (num % 2) != 0
return ?(num & 1)
Name checks out
I remember it live as it was happening. It was fun.
Nice run on sentence in your title. Great job.
It’s 11 lines of trash code too.
The way the function reallocates memory would bring your computer to a crawl on a large string.