By now many if not most of you have read the big blowup about an open source developer who pulled some of his JavaScript code from a repository named NPM and in doing so broke the Internet. If you need some background here and here and here are some good articles with the background. To me the real loser here was the rule of law. Make no mistake about it, when the rule of law breaks down, the open source, the Internet and even society itself breaks.
I think there is blame enough to go around in this drama. The trademark holder threatening lawyers and lawsuits is never a good way to influence people and make friends with open source developers. The open source developer who in essence “took his toys and left the playground” did so without thought to the millions of people who were disrupted, without thinking through what it means to put code in the public domain. The repo service who when perceived as threatened caved in like a cheap suit and took away a name from the developer without due process is also not without blame.
All three of these parties could have handled this differently and this whole thing could have been avoided. Hell if people all over the world didn’t depend on these 11 lines of code instead of doing it themselves we wouldn’t give a rats behind about any of this. But they didn’t, we didn’t and so we do.
Just as there are plenty of people to blame here, there are also plenty of losers. The biggest losers are those who depended on this javascript and had their apps break. But I think the open source movement is a loser here too. I remember when I first got into tech 25+ years ago. At the time open source software was still being snuck into organizations via WAIS, Gopher, Compuserve and floppy disks (by then they weren’t as floppy as much hard). Many organizations did not want open source in their IT department, The reasons were plenty:
- Was it secure?
- Who did you call for support?
- Was it legal? What license was there for it? How could you modify it?
The security issue persists to this day, though there are arguments pro and con. Many companies have based their whole business model around supporting open source software. On the legality and licensing issue a whole cottage industry popped up around open source licenses. The GPL in all of its versions, the Apache license, and a myriad of other open source licenses have evolved.
Around all of these licenses the idea is give the user a sense of legitimacy. To let them know what is allowed, what is not allowed. Both the author and the user are given well defined protections. This as much as security and support enabled open source software to proliferate and become as dominant as it is today.
For me a key tenet of open source is that once the code has been released into the open community it cannot be pulled. You don’t have to continue developing new versions. Heck you can even do what my friend Ron Gula and Tenable Security did with Nessus. They came out with new versions that were not open source (though still free as in beer). But they would never pull down an older version that was open source and remove it.
You could be mad at the lawyers, you can rage at the repo, but you can’t decide your code should no longer be available. You can say your new code won’t be, but you can’t take your old code down and go home. Sorry, that breaks the rule of law. When you break the rule of law everything we hold dear breaks. Not just the Internet but society itself. We depend on the rule of law.When you break the rule of law you wind up punished. This is where law suits and damages result.
The rule of law should apply to the repository as well. There needs to be clear rules of engagement and process in place for when these kind of situations pop up. I reached out to my friends at Sonatype who run the Central Repository about what they think of NPM’s actions here. Brian Fox, VP of Product Management at Sonatype told me this:
As long time advocates of open source software development, we have huge respect for everything that NPM stands for. What happened last week was unfortunate — not only for NPM, but for the entire open source community.
For the past decade, Sonatype has served as the steward of The Central Repository — which itself has grown to become the de facto standard for Java based open source component distribution. During this time we have embraced several fundamental tenets designed to ensure reliability of The Central Repository in support of developers around the world. The most important of these tenets is that components are immutable which, in our experience, is the only reliable way to build a system that allows reuse of dependencies.
Another important tenet underpinning The Central Repository is the requirement of a minimal set of metadata, pgp signatures, and verification of coordinates. Collectively, these ensure that someone can’t show up and pretend to be a representative of a popular project and publish components that would be detrimental to the community.
Finally, all content in Central is namespaced by a groupId. This groupId maps to a domain name of a project or foundation. (e.g. org.apache) In order to publish into this namespace, a publisher must be manually approved; which guarantees that only the official project or someone delegated to do so, can publish to that namespace.
If you want to see more about how Sonatype views this you can read their blog on it at the Nexus.
Whether you think NPM caved or not is not as important to me as did they follow their own pre-defined rules. If they did, developers should know this is how they will handle this kind of situation and the choice to deposit their code there is one that developers should make. But they make it knowing the rules. You need to have expectations of what allowed behavior is. Without it there is no rule of law otherwise.
Developers should know that once they make the decision to let their code be free (as in freedom, not beer), it is free. Like Jonathon Livingston Seagull, once you set it free it is no longer yours. The rule of law dictates this and without it everything breaks.