• Jo Miran@lemmy.ml
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    1
    ·
    9 months ago

    TL;DR: A patent and trademark agent and NPM bullied an Open Source Dev, so the Dev deleted his code from NPM as is his right. The internet broke. NPM restored the code against the dev’s wishes. Corpos win…as always.

    • ramble81@lemm.ee
      link
      fedilink
      English
      arrow-up
      5
      ·
      9 months ago

      I’d say the bigger issue was people live-linking to the files rather than downloading and using a version controlled copy they can control.

        • Ramin Honary@lemmy.ml
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          9 months ago

          They don’t teach about Configuration Management in web-dev bootcamp

          Ha! Bullshit like configuration management, memory management, optimizing compilers, all obsolete technology! We don’t need that anymore with modern web browsers now that every single computer ever is connected to the Internet, and now that we have AI to write code for us!!! JavaScript is the one true language!

          (sarcasm)

    • Aatube@kbin.social
      link
      fedilink
      arrow-up
      1
      arrow-down
      6
      ·
      9 months ago

      “Bullied”? I mean, the open source app the trademarker wanted to replace wasn’t popular either, and I don’t see how the heck “kik” could be related to something for creating templates. Neither do I see it for messaging, but that is a trademark.

      In this case, we believe that most users who would come across a kik package, would reasonably expect it to be related to kik.com.

      IMO, the dev was the asshole in that case.

      • zout@kbin.social
        link
        fedilink
        arrow-up
        5
        ·
        9 months ago

        Not in my book. They asked him if he would rename his package, he replied sorry but I’m building a project with this name, and they replied that they were going to send lawyers to do takedowns if he would release his project. This would also rub me the wrong way. Also, the dev was already working on the package before the kik company ever came to NPM. Why would he have to give up on the name for his project?

        • Aatube@kbin.social
          link
          fedilink
          arrow-up
          0
          arrow-down
          3
          ·
          9 months ago

          Like NPM said, I’d expect a package named kbin to be about kbin.social, not e.g. some random recycling app. The company wants to open source their stuff. That’s great! And then, kik a bit selfishly doesn’t want some package with only 1 star and 3 watches to confuse the 5 people who would want to look at the source code. NPM doesn’t conflate versions between different packages formerly published under the same name, so virtually no harm done to existing users. People who want Kik’s code would get to find Kik, and people would still be able to use the renamed project. I don’t see a reason for the dev to hold on to their Kik name when it would do a slight bit of harm.

          Though, maybe that’s not how it turned out. NPM later took over Kik’s package again as a security holding to this day, and whatever you think, it’s not a good reaction to unpublish all your popular packages, causing massive code breakage around the world and Facebook going up in flames, prompting the world to reevaluate dependency chains and the world’s dependency on JavaScript- that sounds kinda nice, actually, so maybe I’m glad this happened.

          (also, he already released it)

          • zout@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            I get that, but suppose you start a package on NPM named “bronk”. Sometime later someone starts a company with that name. Should you just be forced to give up your package name, just because people suddenly associate the name with the company?

            • Aatube@kbin.social
              link
              fedilink
              arrow-up
              0
              arrow-down
              4
              ·
              9 months ago

              Azer’s repository for his package was made five years after Kik Messenger was released.

        • zylinderhut@feddit.de
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          3
          ·
          9 months ago

          Because not enforcing a trademark means potentially losing the trademark. Not saying that makes it right, IMHO the system just sucks.

          • zout@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            The dev could claim something like “prior art”, or whatever the alternative is for software. Suppose I trademark the name “is-odd” for a company, should NPM now hand me the “is-odd” package name? This would surely break the internet in the same way is an this case.

            • teddy2021@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              9 months ago

              But see, that’s the thing. Trademark isn’t formally granted or applied for. It has to be for an established thing that has common name recognition like kleenex or band-aid. The purpose behind this is to give legal recourse for someone to defend their brand. In order to trademark ‘is-odd’, you would have to be able to show that people (society in your country really) use is-odd to refer to a class of thing you do/make/own. You could argue that Twitter as a trademark still belongs to the ass who runs the company (by extension) because everyone insists on calling it Twitter. The expression of Twitter now has no bearing on where the trademark lies, if it exists in the first place. That would be copyright.

              Now, I agree that the system is dumb, but npm should also have infrastructure in place to enable renaming so that if a case comes about where a package is renamed, that doesn’t break the internet.

          • pivot_root@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            9 months ago

            For United States trademarks, not necessarily. You don’t have to enforce the trademark to keep it; you just have to renew it on time.

            The problem with not enforcing the trademark is that it opens the term up to genericization (for example, referring to all types of tissues as Kleenex). Genericization will cause a company to lose the trademark.

            I don’t think kik was worried about that. It’s more likely they were bullying the guy into giving up the package name.

            • zylinderhut@feddit.de
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              9 months ago

              I’m not sure you are right. There seem to be an awful lot of lawyers phrasing it less clearly.

              Trademarks require constant vigilance. The moment you let your guard down, there’s a chance that someone else might swoop in and use your trademark without permission. This unauthorized usage could lead to confusion among customers and weaken the association between the trademark and the company it represents. Therefore, defending your trademark should be a top priority.

              Source

              This might be done on purpose of course to attract clients.

              I don’t think kik was worried about that. It’s more likely they were bullying the guy into giving up the package name.

              That might be true regardless of copyright law :)

              • pivot_root@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                ·
                9 months ago

                It’s been a few years since I dug through trademark law trying to find an answer to this question, but from my understanding, as long as the trademark isn’t abandoned, doesn’t become genericized, and is renewed, it doesn’t have to be strictly enforced through litigation.

                You only really need to enforce your trademark when there’s a chance of it causing confusion about whether goods produced by some other party are actually produced by the trademark holder (which is the scenario your quote is talking about). Take “Apple,” for example. I can’t sell any software or electronics with the name “Apple” on it without infringing on Apple, Inc.'s trademark, but I can sell “Farmer Tim’s Golden Delicious Apples” without issue. If Apple tried to enforce their trademark on a box of apples, they wouldn’t be successful. If they tried to enforce their trademark on Tim Apple’s iJuicer Pro, they probably would succeed.

                Anyway, I think a lot of the confusion about this comes from trademark law being oversimplified into the phrase “use it or lose it.” That’s strictly true when it comes to actually using the trademark, but it’s not actually a requirement to liberally enforce it.

                That might be true regardless of copyright law :)

                A sad truth. You don’t need to win when you can bury your opposition in legal costs (or threats of).

                • Aatube@kbin.social
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  9 months ago

                  I just had a thought: is it legal for lawyers to say half-truths to get clients to use them more and thus earn more money?

                • zylinderhut@feddit.de
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  9 months ago

                  Thanks for your reply. I’m inclined to believe you, as it seems more likely that this was a case of corporate bullshit and not a case of “alas, our hands are tied”.

      • nick@midwest.social
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Hard disagree. I took much delight in watching the internet collapse when he deleted HIS PROPERTY.

  • Blue_Morpho@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    edit-2
    9 months ago

    The only part of the story that I’m pissed at is NPM corporation restoring content on their server that they didn’t own and published it to millions for profit.

    Koçulu removed left pad. It was his code.

    Can you imagine the lawsuits if when Disney pulled the license for Avengers on Netflix, Netflix responded with:

    “Millions of customers got errors that Marvel Avengers is missing. So we put Avengers back on our servers.”

  • Admiral Patrick@dubvee.org
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    9 months ago

    I always reel in horror when projects have tiny, ‘negligible to implement yourself’ functions like these as dependencies. See also: is-even 🙄

    Edit: is-even has a dependency on is-odd which has a dependency on is-number. 🤦‍♂️

    • GigglyBobble@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      And the whole implementation of is-number which is at version 7.0.0:

      module.exports = function(num) {
        if (typeof num === 'number') {
          return num - num === 0;
        }
        if (typeof num === 'string' && num.trim() !== '') {
          return Number.isFinite ? Number.isFinite(+num) : isFinite(+num);
        }
        return false;
      };
      
      

      The node.js ecosystem has always been madness.

    • Pennomi@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      9 months ago

      JavaScript is a dangerous shitshow for this exact reason. Dependencies are a security and stability nightmare.

      • Admiral Patrick@dubvee.org
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        edit-2
        9 months ago

        Eh, I’d say any language that offers a package repository is just as susceptible. I’m neither pro- nor anti- dependency, but I do always try to keep them to an absolute minimum regardless of what environment I’m working in. Sometimes it makes sense to not reinvent the wheel.

        • Pennomi@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          Yes, but other languages have exponentially fewer packages that install when you add something, making the attack vector smaller and easier to monitor.

          The best way to fix this is for library authors to avoid installing as many sub-dependencies as possible (is-odd, being an obvious example). But that’s a fundamental culture problem.

  • pHr34kY@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 months ago

    It’s 11 lines of trash code too.

    The way the function reallocates memory would bring your computer to a crawl on a large string.

    • xor@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      you should see the “is_odd” package…

      it’s like, return (num%2)? true:false

      • 𝘋𝘪𝘳𝘬@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        People using this deserve that their code breaks. Absolutely ridiculous.

        Neither this, nor the leftpad thing, nor this is-even “package” are things I would even think about for a second before just writing it on my own. I wouldn’t even consider those features (let alone packages to depend my code on!) but basic programming.