This is amazing:

1. a developer of a bunch of popular packages publishes new, intentionally broken versions of them as he doesn't want to support for-profit companies with his free work;
2. NPM *reverts* the packages to older versions against developer's wishes;
3. GitHub *blocks* the developer for acting "irresponsibly".

That story again: developer blocked by for making changes to his own code.

This is why and @forgefriends are so important!


Both npm projects were published under the MIT license. Publishing them under the would make Big Tech not touch it with a ten foot pole, while allowing other free software projects to still use them.

When publishing a project, consider using AGPL. I use it for basically all my public code.

Just to be absolutely clear, as @Gargron noted in a separate thread, this is absolutely shitty of the developer to pull the rug from under everyone (including plenty of FLOSS projects, I'm sure) using his npm packages. A breach of trust indeed.

But for me it is also worth noting GitHub blocking a developer for changes made by him to his own projects.

@rysiek While GH obviously has the right to continue publishing an older version of the software, I wonder whether they retain the right to publish it *under the developer’s username*? That seems like something that should be covered by their TOS but perhaps they missed it?

@rysiek if a developer is pushing changes or code clearly meant only to break things reverting and blocking are absolutely the right thing to do

This feels like the freezepeach argument, context matters

@rysiek @gargron
I have not followed this closely, but if the developer objected to the use of their code, why did they not delete it instead of crippling it?

@wim_v12e @rysiek My understanding is that after the left-pad incident, you can't delete NPM packages once they are posted for more than a short time. It is to prevent someone from basically deleting their coding and breaking everything.

@dmoonfire @rysiek

"The Left-Pad Incident"

sounds almost like a spy thriller ^_^

@rysiek I've been toying with switching a bunch of my stuff to AGPL but I agree. This was a shitty move, just relicense it and move on *or* abandon the project and create a new one with a license that fits the developers philosophy and keep going.

I have enough trouble with my customers believing that OSS is somehow worse than closed source projects (I have to report every CVE for OSS dependencies, but any paid-for package is exempt and typically doesn't have one).

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!