That said, this seems like a weird argument to me:
> but I still don't understand why NPM didn't take the time to find out if any of my modules were widely used and consider ways to handle the unpublishing without breaking anything
Sure, NPM's unpublish mechanism was a misdesign, but is he saying that he expected people at the company to manually go through this every time someone did an unpublish? That doesn't seem too reasonable IMO, NPM the company isn't curating NPM the registry. They host it as a public service.
I can't fault the author all too much here though, if he hadn't triggered "the left-pad incident" then someone else would've not too long after. NPM fixed the problem, by means of a better unpublish policy [0] and that's that.
[0] https://docs.npmjs.com/policies/unpublish#packages-published...
The author simply ran the script that NPM themselves told him to, and later NPM blamed the author for their own failings.
They do in fact curate the registry, mainly for reporting vulnerabilities to consumers and to remove malicious packages.
After left-pad, I understood why.
Technology is a fickle muse. We nerds obsess over her and degrade ourselves in her service, but she always calls us back into the light.
As someone who was around for the Morris worm and spent weeks negating its impact, I feel that there is a fundamental issue impacting our ability to make world-changing technology with the current tools. The less we strive to understand the organizational (ethical) failings of technology, the less technology can be used to effect productive change in the realms it is being applied.
That said, I'm about a month (and a few hundred failed compiles) away from taking my own sabbatical, and I can't help but try to reason what things would be like for me, upon my return after some years, in the technological space I've carved out for my own needs, at much different scales and contexts.
Perhaps it should become somewhat standard for us technologists to take sabbaticals, more often, and more seriously, in order to give us the context we need to understand the ethical dilemma that impinges upon our technological prowess.
Koçulu, thank you for your thoughts. I may never be effected by the javascript world, but the lessons it provides from within the temple nevertheless reverberate among the outer chambers ..
> Most of my open source work followed Unix philosophy, so the packages did one thing at a time.
Nobody has suggested that libc -- to take the most obvious example -- is against the Unix philosophy. Debates occur around whether whether commands / daemons do too much (recent poster child being systemd) or aren't composable.
I don’t think such small packages are sensible, in particular when versioned separately, but I also don’t see how the left-pad debacle has shown that.
Plenty of people have suggested that. I'll suggest it for you now if you like. The modern form of libc is very much against the unix philosophy; traditional Unix had a much simpler libc where many functions were just syscalls; some parts of today's libc were hived off into separate libraries like libm, and other parts like NSS and convoluted DNS resolution frameworks just didn't exist at all.
You could say that Eclipse does "one thing" - being an IDE platform - but I don't think anyone thinks that's what the Unix devs meant. Similarly I don't think they meant for people to write libraries that contain one 11-line function.
The actual advice should be something like "programs/libraries shouldn't try to do too much or too little". How do you know how much is too much or too little? Like so many programming guidelines the answer is you need taste and experience.
(i) Make each program do one thing well. To do a new job, build afresh rather than complicate old programs by adding new "features".
(ii) Expect the output of every program to become the input to another, as yet unknown, program. Don't clutter output with extraneous information. Avoid stringently columnar or binary input formats. Don't insist on interactive input.
(iii) Design and build software, even operating systems, to be tried early, ideally within weeks. Don't hesitate to throw away the clumsy parts and rebuild them.
(iv) Use tools in preference to unskilled help to lighten a programming task, even if you have to detour to build the tools and expect to throw some of them out after you've finished using them
---
[1] https://archive.org/details/bstj57-6-1899/page/n3/mode/2up
That's what a philosophy is, gives you some general guideline and you have to use your thinking to figure out how to apply it in specific circumstances. It does not substitute that thinking neither does it prevent stupid choices, it helps guide you in a higher/strategic level. It is not responsible for people making stupid decisions.
Libc implementations have a very clear scope, clear enough that you can point to the specification. That is their 'one thing' do what that spec says.
Eclipse however, doesn't have that singular goal. You would be hard pressed to say how many of Eclipse's tentacles is a clear push towards being an ide. What should a completely finished version of Eclipse that met all it's goals look like?
Similarly the one thing could be "be a c preprocessor" or be a full "c compiler" these are both "one thing"s even while one is a subset of the other.
The intention of "do one thing, and do it well" is not to limit the scope but to show the boundary of the scope and to commit to doing everything within that boundary
By making your one thing "a full c compiler" you should be committing to doing everything that someone making a c preprocessor is doing, and to the same standard. The Unix philosophy should be considered a warning not to neglect components because you are working on a larger system.
You can't do everything, but you don't have to. If others are following the same principles then many of the parts of what you need will be done to a high standard by others.
I don't see how anyone could read the Lions book or APUE, on one hand, and the pthreads manual or the ANSI C specification of setlocale(), on the other, and come to the conclusion that they represent the same philosophy. It's like thinking Ayn Rand is an exponent of the same philosophy as Epicurus; it betrays a staggering lack of sincere engagement with either one.
I remember the incident and what stuck me most is how, for me, this was a clear example of a community (Javascript) that depended too much on dependencies (pun somewhat intended)
I don't know why so many people put so much blame on you. You unpublished a package with 11 lines of code [0]. I don't think you fully understood the frustration it would cause. And you mentioned that in the post.
> NPM didn't show usage stats, and there was almost no activity on Github. As a user, it was impossible to know the impact of unpublishing packages
The root cause imo isn't akoculu unpublishing the package. In my opinion that lies more in the over-reliance on dependencies, the npm policies and maybe also build systems not caching/vendoring code.
[0] https://en.wikipedia.org/wiki/Npm_left-pad_incident#Backgrou...
Jon Schlinkert on the other hand is going out of his way to produce these micro libraries and then include them in his widely used legitimate projects (handlebars-helpers) with zero willingness to simply integrate them into the projects that actually use them. Here is the deal: Do you want to be trolled? Then use handlebars-helpers, if not, then stop using the damn library.
Jon Schlinkert is a typical marketing A-hole. He should be banned from NPM and Github IMHO.
Also, Kik turn out to be negligent and pretty scummy. There was some controversy with them involving crypto, but the main thing I remember about them is that Kik is rife in terms of trading pornography, including child pornography, as discussed on this Darknet Diaries episode: https://darknetdiaries.com/episode/93/.
So, from that point of view, I quite enjoy that Azer Koçulu told them to fuck off.
turns out?
they threatened a pre-existing naming collision with legal action and bullied the platform first into forcing the name to be theirs, and then afterwards by crying to npm until their software tests passed again.
they began scummy.
The package has to have a public API, meet millions of different people's use cases, and any change to the API will cause millions of man-hours of useless work... and yet if it's a poorly designed API, it might cause millions of sub-optimal programs.
Every project has a StringUtils file. But every project's StringUtils file is different.
Published packages in an ecosystem ought to be well-designed, with good performance, good APIs, good security. Packages that don't meet that bar ought to be kept out. npm is jarring because it let any old shit get published, despite there being long-standing package ecosystems in other languages with much better standards, that they could have copied from (CPAN, PyPi, RubyGems, Maven Central, NuGet Gallery, etc.)
As a business, each additional human or company you add to your supply chain represents additional risk that you're taking on. You can go some ways towards mitigating those risks—one of the most common is to sign a contract with them rather than doing business ad hoc—but the risk doesn't go away entirely. Given that additional risk for each additional downstream supplier, it's generally safer to use code written by someone who's already on your payroll than it is to use code written by someone you've never met and have no way of vetting.
How many prompts can already be solved with a simple web query?
C&P but with extra steps
NPM has not really learned much in the time since this event either.
Somewhere along the way NPM stopped being cooperative with the community. It cemented itself with the Microsoft acquisition, but was obvious quite a bit before that.
There were so many cracks with how npm functioned, they weren't cooperating well with the community / mainline Node team, their push to commercial viability was really off-putting and forced, and many of the team members had a somewhat rough reputation.
Indeed I visited the offices in Oakland (if I recall correctly), and had an... interesting set of interactions there, not particularly positive, that I'll keep to myself.
The unpublish hole was well known at the time. Everyone blamed left-pad for breaking the internet, as it were, but nobody seemed to come down on npm for the sheer mismanagement of it all.
If memory serves they forcefully reinstated the package against the maintainer's wishes, which is a divorcement from the people they claimed to serve at best, and legally dubious at worst. Shortly after this they stopped caring much at all about abuse on their platform at all (core.js advertisement spam, anyone?) and haven't really worked with the community on standards, compatibility, etc. after that.
The npm@5 release was a disaster. The introduction of package lock files couldn't have gone worse, and as I remember it it was a push to get it out alongside the next Node.js major release (I got the feeling the Node team didn't wait for npm to be ready, which I think is a good thing given npm is a for-profit, or at least acts like one).
The community outreach during that time of what seemed like endless major, catastrophic bugs and the shaming of the community for putting pressure on them, the pious attitude, was only further proof that npm was no longer an agent of FOSS. I can't remember if left-pad came before or after that but in my head it was all one long drawn out declination of the ecosystem.
The packages on npm are a meme now; small packages that do trivial tasks, and everyone likes to make fun of it. Maybe it wasn't the best thing, in hindsight. But context is crucial; npm was the first incredibly accessible package manager for an emergent popular technology, almost entirely community managed, with a good system for querying and tight integration with Github's "social coding" spirit.
It existed very early in the Node lifetime, back before even ES5 was available (we still used `var` and `prototype`!), before JavaScript best practices really existed. Before Node.js was given to the community by Joyent. Before even the Io.js fork and the exit from the long stagnation that was Node 0.10/0.12.
Nobody knew the best way to do things.
I can completely understand the author. From a security perspective I'm really thankful left-pad happened, even if it wasn't the reasoning of the author; it made people acutely aware of what relying on corporate interests divested from the communities they claim to serve, bring to the table in terms of risk. It started many conversations about supply chain security, redundancy, etc. That's a hard thing to do, and it's made the industry a bit better in the long run.
Good followup, neat to read this after so long.
Npm (and JS in general) is a victim of fashion, primarily.
For me it was surprising that so many projects used this naive implementation. Nonnaive implementation is faster and much smaller.
People are after the "number of downloads" metric on npm for various reasons. Left-pad has 1.4 million weekly downloads https://www.npmjs.com/package/left-pad Is-even has 160k weekly downloads https://www.npmjs.com/package/is-even
Sometimes people will include it as a dependency as a joke in their useful library. Other times the people who write these put it in useful libraries that they contribute to so that use of the useful boosts their numbers. I'm forgetting where it is now, but it was one of the big foundational libraries in React that used one of those and there was resistance to replacing (I believe) an include and use of is-even because they were a very strict adherent to the "never write code you can include" which meant that everything using it included it.
One such story: Why has there been nearly 3 million installs of is-odd - npm in the last 7 days? - https://www.reddit.com/r/programming/comments/886zji/why_has...
I vendor dependencies on the projects I work.
Predictable, offline builds. Storage is cheap.
Lodash has had pad/padStart/padEnd since 2016, 3 months before left-pad incident. https://lodash.info/doc/pad
Why does Maven exist, without the commercial compromises of NPM? Probably because Java has the well-funded, well-supported, but non-profit and community-oriented Apache foundation, which is something extremely rare and precious (and probably at least partly a lucky result of Java's complicated legal history).
(JS has plenty of great utility libraries. The problem is that its package management is excessively centralised and not managed terribly well)
Additionally, it is standard practice in the Java world, which is more "corporate" or "enterprise-y", for better and for worse, to have organisations operate their own internal package registries / mirrors. Even if you unpublished a major package from Maven Central, many organisations would be completely unaffected because they retain archived copies of all of their dependencies.
I don’t see how the size of the package matters here.
But I think the GP's point is that the cultural in other ecosystems didn't lean as heavily into "there's a package for that®" as JS does
He fulfilled his responsibilities as a author.
left-pad will happen again. Maybe not on NPM, but on crates.io/pypi/Google's go proxy. All it takes is for a developer to join the ICC and piss of Trump and suddenly the code is impossible to find on any of the standard repositories. Even Go will have issues because despite the Github references, all the standard go traffic still goes through Google. Or even worse, someone fights back against a recent invasion and uploads a virus that wipes the drive of whatever locale they're targeting.
Wow, I couldn't think of a worse rebirth.
I understand if your values contain something like "money for me is good", but do your values also contain something like "money for this random guy is good"?
It's not that I don't value those things, it's that I think they're actively harmful (at least some of them), and that being passionate about them shows very toxic personality traits.
It's because you haven't read al-Ghazali yet.
(definitely the most pompous and self-important part of this post)
I’m quite familiar with both western and eastern traditions, don’t know any better source than Ghazali’s “the alchemy of happiness” about how people make decisions.
It’s kind of ironic to see people being triggered by just the mention of it though — just reflects what your heart tends to reject impulsively. I wish you curiosity.
P.S Here’s the full quote, it entertainingly describes the ignorance here:
“first, they didn't look at the dates of the emails. They don't understand the timeline.
second, they can't relate to standing your ground in a high pressure situation involving threats.
and third, they haven't read Al-Ghazali yet, don't quite understand how (free) people make decisions”
> And third, they haven't read Al-Ghazali, don't quite understand how I make decisions.
Not everyone makes decision guided by the heart. Many people lean more on reason and logic.
I don't know that I fully buy this either, at least not the anger part.
I can look back on all this with wry amusement nowadays but I remember it being pretty frustrating at the time.
It sort of felt like, well, either you knew what the impact of unpublishing all your packages would be and you did it anyway, which makes you kind of antisocial, or you didn't know what the impact would be but did it anyway, which makes you kind of a hothead. And in this latest piece Azer has admitted that he didn't understand what the impact would be so... y'know... I do wonder if anger was at least a small factor.
Regardless, it's pretty clear that npm bear a lot of the responsibility for what happened. It's also something that happened a very long time ago and, as I've already implied, is just a funny story nowadays, not something I can manage any ire towards Azer over.
He wants to remove his stuff, but isn't sure what the right way to do it is, so he asks npm. npm provides him with a set of scripts to run to remove his stuff, and he, presuming that it's "ok" if npm told him to go ahead and run them, runs them. The impact isn't especially important to him, But since npm just gave him a set of scripts with an implicit "oh okay you want to remove your stuff, here I wrote you a script you can run to get it done," makes it more of an npm choice to handle it in this manner. npm asked him to handle it this way, so he did.
Being neutral and seeing a good way forward is not something practiced, taught or celebrated in western, esp. American culture much. One always needs to have a thrust source (mostly an emotion driven by logic, taught during being grown up (e.g.: You should be angry about it)) to make decisions.
In fact, sometimes, you just don't have a thrust source, you just feel like doing it. It feels the right thing to do, and you do it with no emotions attached.
This is a boon, in fact it's called "clarity" brought by being with yourself. Either spending time outdoors, doing some reflection work, or by meditating. I use the same methods when I face with a non-urgent but important decision. Let the way reveal itself. Putting logic and emotions aside and finding the right way is not easy, or the process is not smooth sailing, but I never arrived to a wrong place by following that path.
This whole problem was trivially avoidable, and people get mad at him because they were too lazy to avoid it.
grant me the serenity to accept the things I cannot change; courage to change the things I can; and wisdom to know the difference
So, im gonna try and read something by al-Ghazali.
What compels you to say this? Would you be more satisfied if he'd suggested the reader acquaint themselves with Thomas Aquinas or Augustine of Hippo? Are you familiar with al-Ghazali, the scholar, or is he new to you?
You have, rather literally, proven the philosophers point - while remaining, it seems, ignorant of it.
Or perhaps, you mean to imply that /u/akoculu was doing a good deed not because he cared, but to show off?
The irony is, al-Ghazali asked his readers to question their pomp and self-importance, and to do good deeds because they truly cared, not because it would result in social acknowledgement by the mass collective, whose motives should always be questioned, effectively.
Perhaps, then, your position is more of a reflection of your own condition? One would hope your disdain is borne on an actual understanding of al-Ghazali's position, vis a vis self-doubt ... or rather, one would hope your current position is based on an ignorance of his works, actually.
One should never feel so compelled to deny the enlightenment of others, especially if by doing so, you resort to personally-motivated obscurantism in response.
"Eschew flamebait. Avoid generic tangents."
"Edit out swipes."
https://news.ycombinator.com/newsguidelines.html
We detached this subthread from https://news.ycombinator.com/item?id=44245579.
Since then the name is basically squatted?
Whether you use left-pad or not is up to you... but this Kik story is just a bad look for Microsoft all around.
you phrasing implies that you would say what I said if you knew that acquisition happened later. Weird but OK.
Anyway then let's just say it is a bad look for NPM and any future buyers who decided this is a worthy company
