joepie91's Ramblings

home RSS

Reflections on NPM-gate, one day later

23 Mar 2016

Okay, so let's get these things out of the way first:

  1. I am not a lawyer. However, I have to deal with intellectual property on a regular basis, because of my open-source work. I'm also very strongly opposed to copyright and patents, but have a more nuanced stance on trademarks. If any of this makes you uneasy, you can stop reading here.
  2. This issue was about trademarks. Trademarks are designed to, in summary, "prevent consumers from getting confused or misled as to the origin or endorsement of a thing". This means that trademarks are not a form of copyright, they don't mean that you "have copyright on a name', and most importantly, it doesn't mean that you "own" the name. I will get back to this later.
  3. This article is based on public sources, and it's possible that some things are inaccurate, if (for example) any of the parties withheld communications or details.

So, for the past day, I've been following the fallout around and reasons for Azer's decision to remove all of his modules from NPM. I've noticed that many people discussing the matter either don't understand the issue, don't understand trademarks, or underestimate the complexity of solving this problem.

Therefore, I've decided to write this post - both as a summary of the events, and as a correction of some particularly common misconceptions.

What happened?

Kik (the company) contacted Azer, asking 'politely' whether they could have the kik package name on NPM. Azer responded:

Sorry, I’m building an open source project with that name.

After that, the following message was sent by Kik (the company):

We don’t mean to be a dick about it, but it’s a registered Trademark in most countries around the world and if you actually release an open source project called kik, our trademark lawyers are going to be banging on your door and taking down your accounts and stuff like that — and we’d have no choice but to do all that because you have to enforce trademarks or you lose them.

Can we not come to some sort of a compromise to get you to change the name without involving lawyers? Is there something we could do for you in compensation to get you to change the name?

At this point, Azer responded with:

hahah, you’re actually being a dick. so, fuck you. don’t e-mail me back.

Kik (the company) contacted NPM Inc., asking them to help out, again alluding to trademarks and lawyers. At this point, NPM Inc. offered to take away the kik package name from Azer and give it to Kik (the company).

Azer felt that NPM no longer represented his interests as a user (and open-source developer), decided he did not want to be a part of NPM anymore, and 'unpublished' all of his modules from NPM.

Consequently, builds all around the world broke. One of the removed modules was the left-pad module, which was used in many, many popular projects, either directly or indirectly.

Azer's response

It's easy to blame Azer for 'being a dick' here. However, Azer initially responded politely, and only became rude after Kik threatened with lawyers, despite having been told no.

If your immediate response to a "no" is to threaten with lawyers, then that was your plan all along, and you were simply asking 'politely' first for appearances, and to save on legal costs. There was clearly no intention to let Azer make a decision in the first place.

Kik's claim

"But," you might say, "they hold the trademark - Azer didn't have a choice anyway, and had to comply". This argument in particular is one I've seen a lot, but it's most likely false.

Holding a trademark doesn't mean you own the name, nor does it work like copyright. It simply means that if somebody could be confused or misled about the origins of something, you can exercise your trademark to put it to a stop. It's a way to protect a brand name, and prevent scams.

That wasn't the case here at all, however - as far as I can tell, Azer's package was completely unrelated to Kik (the service), and simply happened to have the same three-letter name. There would be no room for confusion here at all, and that would make this a case of trademark trolling; where Kik (the company) just figured that trademark threats would be the easiest way to get hold of a nice and short package name.

It's very, very unlikely that this would have been a legitimate trademark infringement claim. Indeed, no lawyers were ever involved, and it was never more than a threat.

I also don't believe Kik's claim that it was "nothing more than a polite request" - if that were the case, they wouldn't have threatened with lawyers three(!) times.

And finally, I'd like to mention Startup Timelines, who removed Kik from their site for this very reason.

NPM Inc.'s response

NPM Inc. removed Azer's package without any real infringement claim ever having been sent, purely on the basis of the threat of getting lawyers involved.

By doing this, NPM Inc. has painted a giant target on their back towards trademark trolls, saying "here's a cheap target" - it is now known that they will not make an effort to represent the interests of their users, and will fold even without a legal notice being sent.

This is disastrous for the ecosystem, as every developer is now a potential target, and their package might be pulled out from under their feet as well, for an entirely frivolous claim.

Reclaimed packages

Then the next disaster struck, once people realized that not only could Kik (the company) push whatever code they wanted as a patch version to existing users of the kik library... but anybody could register any of the other now-removed NPM packages, and do the same thing.

This is a security issue so significant, that I can't believe it even happened. Had a malware author scooped up left-pad, for example, they could have infected potentially thousands to millions of users with a single publish. In fact, that still might happen - because who is nj48 anyway?

This really cannot ever, ever, ever be allowed. Global namespace or not, once an identifier has been used and removed, it should not ever be possible to reassign it to anything else.

But Azer could have published malware as well.

Yes, he could have. But he was the only person who could modify his packages (aside from NPM Inc. itself), and people decided to trust him as a legitimate developer. That trust breaks down when you quietly 'reallocate' a package to a different, entirely unrelated person.

Signed packages would be even better, of course - but even without that, preventing reallocation of package names is the most basic protection you should really have.

NPM Inc.'s history

Unfortunately, this wasn't the first incident with NPM Inc. - in the past, NPM employees have advocated for blocking IPs from the registry, when the users they belong to 'misbehave' (in their view) outside of the NPM registry. It's completely unacceptable to have a small group of people decide who can use critical infrastructure and who can't, based on personal dislike of off-site behaviour.

Returning to security. While I won't go into this too much, I've had poor experiences with NPM staff's handling of security in the past, as well - specifically, with Isaac, who apparently did not understand the severity of the Buffer security issue in Node, yet felt that he could proclaim it on Twitter as "no big deal". I was blocked after showing him a proof-of-concept of the vulnerability. I have heard similar stories from others.

Overall, I feel that both Kik and NPM have handled this issue very poorly, and that there is a history of doing so for NPM. Which brings us to the next point...

Fixing NPM

There have been many ideas, from many people, in many places, on how to 'fix' NPM. From replacing the client, to replacing the company, to replacing the registry with a decentralized equivalent.

Unfortunately, not all of these ideas are thought through or argued well. I'll address some of the common issues below.

Namespacing

A common complaint is that there's a single global namespace in NPM - that is, a single collection of packages, with a first-come-first-serve policy. While a valid concern in and of itself, many people seem to think that this is the reason of package takeovers that occurred today. It's not.

The problem with the package takeovers is one of mutability and, more specifically, who has permission to do what. Right now, removed packages can apparently be freely re-registered, but this should not be the case, for the reasons I've described before. Imagine for a moment that we had a namespaced NPM, where each package was prefixed with the username of the publisher. Imagine that once somebody removed their account, their username could be re-registered.

What would happen? Exactly the same thing.

Namespaces do not solve this, and if you can prevent reuse of usernames, then you can also do so for package names. While namespaces are worth discussing, it's completely unrelated to the issues that occurred today.

Decentralizing NPM

There have been various suggested solutions for decentralizing NPM. This is a very good idea in principle, as it would remove single points of failure, like what we're seeing now with NPM Inc. Unfortunately, most of these proposals won't actually work, because the author underestimated the complexities involved.

For example, you might argue for content-addressable packages on IPFS. But how do you handle semantic versioning? You definitely should support it like NPM does, as it's essential to receiving (security) patches. But purely content-addressable packages rule out this possibility by definition, as they require immutability. And there are many subtle issues like this.

There has been a discussion ongoing about this for a few months now, and it can be found here. If you wish to contribute to building a decentralized package manager, then please read that thread and those linked from it, because they list many of the issues that a naive decentralized implementation would run into. You can't replace NPM with a package manager that is missing features.

In conclusion...

I'm surprised you've made it this far through the article. Either way, the conclusion is quite simple:

We need to replace the central NPM registry, but we need to do so carefully. Also, Kik needs to stop pretending that it was a polite request.

To end on a more amusing note, from the Node.js IRC channel:

[20:34] <TheEmpath> Hey guys, I've created a package that converts characters into yellow/gold N'ko, a modern unifier of the Manding languages spoken by mansas throughout medieval North Africa. You can try it out with npm install goldmansachs

And yep, it actually exists.