• Jo Miran
    link
    fedilink
    English
    15110 months ago

    TL;DR: A patent and trademark agent and NPM bullied an Open Source Dev, so the Dev deleted his code from NPM as is his right. The internet broke. NPM restored the code against the dev’s wishes. Corpos win…as always.

    • @ramble81@lemm.ee
      link
      fedilink
      English
      7610 months ago

      I’d say the bigger issue was people live-linking to the files rather than downloading and using a version controlled copy they can control.

      • jayrhacker
        link
        fedilink
        2710 months ago

        They don’t teach about Configuration Management in web-dev bootcamp

        • Ramin Honary
          link
          fedilink
          English
          11
          edit-2
          10 months ago

          They don’t teach about Configuration Management in web-dev bootcamp

          Ha! Bullshit like configuration management, memory management, optimizing compilers, all obsolete technology! We don’t need that anymore with modern web browsers now that every single computer ever is connected to the Internet, and now that we have AI to write code for us!!! JavaScript is the one true language!

          (sarcasm)

    • Aatube
      link
      fedilink
      -4210 months ago

      “Bullied”? I mean, the open source app the trademarker wanted to replace wasn’t popular either, and I don’t see how the heck “kik” could be related to something for creating templates. Neither do I see it for messaging, but that is a trademark.

      In this case, we believe that most users who would come across a kik package, would reasonably expect it to be related to kik.com.

      IMO, the dev was the asshole in that case.

      • zout
        link
        fedilink
        5710 months ago

        Not in my book. They asked him if he would rename his package, he replied sorry but I’m building a project with this name, and they replied that they were going to send lawyers to do takedowns if he would release his project. This would also rub me the wrong way. Also, the dev was already working on the package before the kik company ever came to NPM. Why would he have to give up on the name for his project?

        • @zylinderhut@feddit.de
          link
          fedilink
          English
          -310 months ago

          Because not enforcing a trademark means potentially losing the trademark. Not saying that makes it right, IMHO the system just sucks.

          • @pivot_root@lemmy.world
            link
            fedilink
            English
            910 months ago

            For United States trademarks, not necessarily. You don’t have to enforce the trademark to keep it; you just have to renew it on time.

            The problem with not enforcing the trademark is that it opens the term up to genericization (for example, referring to all types of tissues as Kleenex). Genericization will cause a company to lose the trademark.

            I don’t think kik was worried about that. It’s more likely they were bullying the guy into giving up the package name.

            • @zylinderhut@feddit.de
              link
              fedilink
              English
              1
              edit-2
              10 months ago

              I’m not sure you are right. There seem to be an awful lot of lawyers phrasing it less clearly.

              Trademarks require constant vigilance. The moment you let your guard down, there’s a chance that someone else might swoop in and use your trademark without permission. This unauthorized usage could lead to confusion among customers and weaken the association between the trademark and the company it represents. Therefore, defending your trademark should be a top priority.

              Source

              This might be done on purpose of course to attract clients.

              I don’t think kik was worried about that. It’s more likely they were bullying the guy into giving up the package name.

              That might be true regardless of copyright law :)

              • @pivot_root@lemmy.world
                link
                fedilink
                English
                310 months ago

                It’s been a few years since I dug through trademark law trying to find an answer to this question, but from my understanding, as long as the trademark isn’t abandoned, doesn’t become genericized, and is renewed, it doesn’t have to be strictly enforced through litigation.

                You only really need to enforce your trademark when there’s a chance of it causing confusion about whether goods produced by some other party are actually produced by the trademark holder (which is the scenario your quote is talking about). Take “Apple,” for example. I can’t sell any software or electronics with the name “Apple” on it without infringing on Apple, Inc.'s trademark, but I can sell “Farmer Tim’s Golden Delicious Apples” without issue. If Apple tried to enforce their trademark on a box of apples, they wouldn’t be successful. If they tried to enforce their trademark on Tim Apple’s iJuicer Pro, they probably would succeed.

                Anyway, I think a lot of the confusion about this comes from trademark law being oversimplified into the phrase “use it or lose it.” That’s strictly true when it comes to actually using the trademark, but it’s not actually a requirement to liberally enforce it.

                That might be true regardless of copyright law :)

                A sad truth. You don’t need to win when you can bury your opposition in legal costs (or threats of).

                • Aatube
                  link
                  fedilink
                  210 months ago

                  I just had a thought: is it legal for lawyers to say half-truths to get clients to use them more and thus earn more money?

                • @zylinderhut@feddit.de
                  link
                  fedilink
                  English
                  110 months ago

                  Thanks for your reply. I’m inclined to believe you, as it seems more likely that this was a case of corporate bullshit and not a case of “alas, our hands are tied”.

          • zout
            link
            fedilink
            210 months ago

            The dev could claim something like “prior art”, or whatever the alternative is for software. Suppose I trademark the name “is-odd” for a company, should NPM now hand me the “is-odd” package name? This would surely break the internet in the same way is an this case.

            • @teddy2021@sh.itjust.works
              link
              fedilink
              English
              110 months ago

              But see, that’s the thing. Trademark isn’t formally granted or applied for. It has to be for an established thing that has common name recognition like kleenex or band-aid. The purpose behind this is to give legal recourse for someone to defend their brand. In order to trademark ‘is-odd’, you would have to be able to show that people (society in your country really) use is-odd to refer to a class of thing you do/make/own. You could argue that Twitter as a trademark still belongs to the ass who runs the company (by extension) because everyone insists on calling it Twitter. The expression of Twitter now has no bearing on where the trademark lies, if it exists in the first place. That would be copyright.

              Now, I agree that the system is dumb, but npm should also have infrastructure in place to enable renaming so that if a case comes about where a package is renamed, that doesn’t break the internet.

        • Aatube
          link
          fedilink
          -1010 months ago

          Like NPM said, I’d expect a package named kbin to be about kbin.social, not e.g. some random recycling app. The company wants to open source their stuff. That’s great! And then, kik a bit selfishly doesn’t want some package with only 1 star and 3 watches to confuse the 5 people who would want to look at the source code. NPM doesn’t conflate versions between different packages formerly published under the same name, so virtually no harm done to existing users. People who want Kik’s code would get to find Kik, and people would still be able to use the renamed project. I don’t see a reason for the dev to hold on to their Kik name when it would do a slight bit of harm.

          Though, maybe that’s not how it turned out. NPM later took over Kik’s package again as a security holding to this day, and whatever you think, it’s not a good reaction to unpublish all your popular packages, causing massive code breakage around the world and Facebook going up in flames, prompting the world to reevaluate dependency chains and the world’s dependency on JavaScript- that sounds kinda nice, actually, so maybe I’m glad this happened.

          (also, he already released it)

          • zout
            link
            fedilink
            710 months ago

            I get that, but suppose you start a package on NPM named “bronk”. Sometime later someone starts a company with that name. Should you just be forced to give up your package name, just because people suddenly associate the name with the company?

            • Aatube
              link
              fedilink
              -4
              edit-2
              10 months ago

              Azer’s repository for his package was made five years after Kik Messenger was released.

      • @nick@midwest.social
        link
        fedilink
        English
        1610 months ago

        Hard disagree. I took much delight in watching the internet collapse when he deleted HIS PROPERTY.

        • Aatube
          link
          fedilink
          210 months ago

          We’re not talking about the effects; we’re talking about the cause.

  • Admiral Patrick
    link
    fedilink
    English
    42
    edit-2
    10 months ago

    I always reel in horror when projects have tiny, ‘negligible to implement yourself’ functions like these as dependencies. See also: is-even 🙄

    Edit: is-even has a dependency on is-odd which has a dependency on is-number. 🤦‍♂️

    • GigglyBobble
      link
      fedilink
      11
      edit-2
      10 months ago

      And the whole implementation of is-number which is at version 7.0.0:

      module.exports = function(num) {
        if (typeof num === 'number') {
          return num - num === 0;
        }
        if (typeof num === 'string' && num.trim() !== '') {
          return Number.isFinite ? Number.isFinite(+num) : isFinite(+num);
        }
        return false;
      };
      
      

      The node.js ecosystem has always been madness.

    • Pennomi
      link
      fedilink
      English
      10
      edit-2
      10 months ago

      JavaScript is a dangerous shitshow for this exact reason. Dependencies are a security and stability nightmare.

      • Admiral Patrick
        link
        fedilink
        English
        9
        edit-2
        10 months ago

        Eh, I’d say any language that offers a package repository is just as susceptible. I’m neither pro- nor anti- dependency, but I do always try to keep them to an absolute minimum regardless of what environment I’m working in. Sometimes it makes sense to not reinvent the wheel.

        • Pennomi
          link
          fedilink
          English
          910 months ago

          Yes, but other languages have exponentially fewer packages that install when you add something, making the attack vector smaller and easier to monitor.

          The best way to fix this is for library authors to avoid installing as many sub-dependencies as possible (is-odd, being an obvious example). But that’s a fundamental culture problem.

        • Jo Miran
          link
          fedilink
          English
          2
          edit-2
          10 months ago

          This is why I only code in Assembly. /jk

    • LazaroFilm
      link
      fedilink
      English
      1010 months ago

      At this point it’s just a joke. Is there a npm for console log? I’ll have to check.

    • Aatube
      link
      fedilink
      410 months ago

      Created by the organization “i-voted-for-trump”

      • Admiral Patrick
        link
        fedilink
        English
        510 months ago

        Lol, I saw that. If you go to their main page, it’s explained that it’s a joke.

  • @Blue_Morpho@lemmy.world
    link
    fedilink
    English
    29
    edit-2
    10 months ago

    The only part of the story that I’m pissed at is NPM corporation restoring content on their server that they didn’t own and published it to millions for profit.

    Koçulu removed left pad. It was his code.

    Can you imagine the lawsuits if when Disney pulled the license for Avengers on Netflix, Netflix responded with:

    “Millions of customers got errors that Marvel Avengers is missing. So we put Avengers back on our servers.”

      • Scribbd
        link
        fedilink
        English
        310 months ago

        Depending on the license it is published under, you sure can.

    • @xor@infosec.pub
      link
      fedilink
      English
      710 months ago

      you should see the “is_odd” package…

      it’s like, return (num%2)? true:false

      • 𝘋𝘪𝘳𝘬
        link
        fedilink
        English
        1110 months ago

        People using this deserve that their code breaks. Absolutely ridiculous.

        Neither this, nor the leftpad thing, nor this is-even “package” are things I would even think about for a second before just writing it on my own. I wouldn’t even consider those features (let alone packages to depend my code on!) but basic programming.

        • Ephera
          link
          fedilink
          English
          810 months ago

          Problem is when you accidentally pull it in as a transitive dependency…

        • @xor@infosec.pub
          link
          fedilink
          English
          410 months ago

          i just don’t see how npm is letting this happen…
          im going to write an npm module called “true” that just returns true…

        • @xor@infosec.pub
          link
          fedilink
          English
          110 months ago

          well although 1 evaluates as true and zero as false, it’s not the same thing…
          so yes, i did…

      • 50gp
        link
        fedilink
        1
        edit-2
        10 months ago

        at which point do you blame the language for not implementing it natively?

        • Rikudou_SageA
          link
          English
          910 months ago

          I mean, does any language implement is_odd() natively? Doesn’t everyone implement modulus and pretty much assumes that you remember modulus from elementary and can infer that even numbers are those where x % 2 == 0.

        • 𝘋𝘪𝘳𝘬
          link
          fedilink
          English
          610 months ago

          at which point do you blame the language for not implementing it natively?

          Erm … What more native than number % 2 do you want to have it?

          • Ephera
            link
            fedilink
            English
            -3
            edit-2
            10 months ago

            2.is_even()

            (I don’t know, if this is possible in JS.)

            • 𝘋𝘪𝘳𝘬
              link
              fedilink
              English
              410 months ago

              Let’s call the number variable just x, you then have literal math (Euclidean division) if you ignore === instead of = for equals.

              x % 2 === 0
              

              This can’t get better or more native than “just math”. This is the whole code you need to detect if a number is even. I wouldn’t even call it “code”.

              If you remove whitespaces and ignore the type you end up with x%2==0 which is 6 characters long and a fully valid if clause. No magic involved, no abstraction, no weird function calls on integers …

              I see that in modern JS this type of coding is a trend, but you can’t tell me you want to replace 6 characters with an own module or a package. :)

              • Ephera
                link
                fedilink
                English
                -110 months ago

                No, I want that in the std lib. Yes, it would just call x % 2 == 0 underneath. But the advantage is readability. I’m in principle aware that x % 2 == 0 is true when the number is even, but I need it seldomly enough that I do still need to think about it for a second before I know for sure. I don’t need to think about x.is_even(). And the readability is what I want natively, i.e. in the std lib.

                It being in the std lib would also sidestep your concerns about security or the function call having unknown side effects.

        • Aatube
          link
          fedilink
          6
          edit-2
          10 months ago

          Isn’t %2 already native?

          (BTW this thing failed JavaScript so hard ECMA immediately included it in that year’s standard)

  • Rikudou_SageA
    link
    English
    1410 months ago

    I remember it live as it was happening. It was fun.

  • @pHr34kY@lemmy.world
    link
    fedilink
    English
    210 months ago

    It’s 11 lines of trash code too.

    The way the function reallocates memory would bring your computer to a crawl on a large string.