• Jo Miran@lemmy.ml
    link
    fedilink
    English
    arrow-up
    157
    arrow-down
    4
    ·
    11 months ago

    TL;DR: A patent and trademark agent and NPM bullied an Open Source Dev, so the Dev deleted his code from NPM as is his right. The internet broke. NPM restored the code against the dev’s wishes. Corpos win…as always.

    • ramble81@lemm.ee
      link
      fedilink
      English
      arrow-up
      76
      ·
      11 months ago

      I’d say the bigger issue was people live-linking to the files rather than downloading and using a version controlled copy they can control.

        • Ramin Honary@lemmy.ml
          link
          fedilink
          English
          arrow-up
          11
          ·
          edit-2
          11 months ago

          They don’t teach about Configuration Management in web-dev bootcamp

          Ha! Bullshit like configuration management, memory management, optimizing compilers, all obsolete technology! We don’t need that anymore with modern web browsers now that every single computer ever is connected to the Internet, and now that we have AI to write code for us!!! JavaScript is the one true language!

          (sarcasm)

    • Aatube@kbin.social
      link
      fedilink
      arrow-up
      6
      arrow-down
      47
      ·
      11 months ago

      “Bullied”? I mean, the open source app the trademarker wanted to replace wasn’t popular either, and I don’t see how the heck “kik” could be related to something for creating templates. Neither do I see it for messaging, but that is a trademark.

      In this case, we believe that most users who would come across a kik package, would reasonably expect it to be related to kik.com.

      IMO, the dev was the asshole in that case.

      • zout@kbin.social
        link
        fedilink
        arrow-up
        58
        ·
        11 months ago

        Not in my book. They asked him if he would rename his package, he replied sorry but I’m building a project with this name, and they replied that they were going to send lawyers to do takedowns if he would release his project. This would also rub me the wrong way. Also, the dev was already working on the package before the kik company ever came to NPM. Why would he have to give up on the name for his project?

        • zylinderhut@feddit.de
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          11
          ·
          11 months ago

          Because not enforcing a trademark means potentially losing the trademark. Not saying that makes it right, IMHO the system just sucks.

          • pivot_root@lemmy.world
            link
            fedilink
            English
            arrow-up
            11
            arrow-down
            2
            ·
            11 months ago

            For United States trademarks, not necessarily. You don’t have to enforce the trademark to keep it; you just have to renew it on time.

            The problem with not enforcing the trademark is that it opens the term up to genericization (for example, referring to all types of tissues as Kleenex). Genericization will cause a company to lose the trademark.

            I don’t think kik was worried about that. It’s more likely they were bullying the guy into giving up the package name.

            • zylinderhut@feddit.de
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              11 months ago

              I’m not sure you are right. There seem to be an awful lot of lawyers phrasing it less clearly.

              Trademarks require constant vigilance. The moment you let your guard down, there’s a chance that someone else might swoop in and use your trademark without permission. This unauthorized usage could lead to confusion among customers and weaken the association between the trademark and the company it represents. Therefore, defending your trademark should be a top priority.

              Source

              This might be done on purpose of course to attract clients.

              I don’t think kik was worried about that. It’s more likely they were bullying the guy into giving up the package name.

              That might be true regardless of copyright law :)

              • pivot_root@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                ·
                11 months ago

                It’s been a few years since I dug through trademark law trying to find an answer to this question, but from my understanding, as long as the trademark isn’t abandoned, doesn’t become genericized, and is renewed, it doesn’t have to be strictly enforced through litigation.

                You only really need to enforce your trademark when there’s a chance of it causing confusion about whether goods produced by some other party are actually produced by the trademark holder (which is the scenario your quote is talking about). Take “Apple,” for example. I can’t sell any software or electronics with the name “Apple” on it without infringing on Apple, Inc.'s trademark, but I can sell “Farmer Tim’s Golden Delicious Apples” without issue. If Apple tried to enforce their trademark on a box of apples, they wouldn’t be successful. If they tried to enforce their trademark on Tim Apple’s iJuicer Pro, they probably would succeed.

                Anyway, I think a lot of the confusion about this comes from trademark law being oversimplified into the phrase “use it or lose it.” That’s strictly true when it comes to actually using the trademark, but it’s not actually a requirement to liberally enforce it.

                That might be true regardless of copyright law :)

                A sad truth. You don’t need to win when you can bury your opposition in legal costs (or threats of).

                • Aatube@kbin.social
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  11 months ago

                  I just had a thought: is it legal for lawyers to say half-truths to get clients to use them more and thus earn more money?

                • zylinderhut@feddit.de
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  11 months ago

                  Thanks for your reply. I’m inclined to believe you, as it seems more likely that this was a case of corporate bullshit and not a case of “alas, our hands are tied”.

          • zout@kbin.social
            link
            fedilink
            arrow-up
            2
            ·
            11 months ago

            The dev could claim something like “prior art”, or whatever the alternative is for software. Suppose I trademark the name “is-odd” for a company, should NPM now hand me the “is-odd” package name? This would surely break the internet in the same way is an this case.

            • teddy2021@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              11 months ago

              But see, that’s the thing. Trademark isn’t formally granted or applied for. It has to be for an established thing that has common name recognition like kleenex or band-aid. The purpose behind this is to give legal recourse for someone to defend their brand. In order to trademark ‘is-odd’, you would have to be able to show that people (society in your country really) use is-odd to refer to a class of thing you do/make/own. You could argue that Twitter as a trademark still belongs to the ass who runs the company (by extension) because everyone insists on calling it Twitter. The expression of Twitter now has no bearing on where the trademark lies, if it exists in the first place. That would be copyright.

              Now, I agree that the system is dumb, but npm should also have infrastructure in place to enable renaming so that if a case comes about where a package is renamed, that doesn’t break the internet.

        • Aatube@kbin.social
          link
          fedilink
          arrow-up
          3
          arrow-down
          13
          ·
          11 months ago

          Like NPM said, I’d expect a package named kbin to be about kbin.social, not e.g. some random recycling app. The company wants to open source their stuff. That’s great! And then, kik a bit selfishly doesn’t want some package with only 1 star and 3 watches to confuse the 5 people who would want to look at the source code. NPM doesn’t conflate versions between different packages formerly published under the same name, so virtually no harm done to existing users. People who want Kik’s code would get to find Kik, and people would still be able to use the renamed project. I don’t see a reason for the dev to hold on to their Kik name when it would do a slight bit of harm.

          Though, maybe that’s not how it turned out. NPM later took over Kik’s package again as a security holding to this day, and whatever you think, it’s not a good reaction to unpublish all your popular packages, causing massive code breakage around the world and Facebook going up in flames, prompting the world to reevaluate dependency chains and the world’s dependency on JavaScript- that sounds kinda nice, actually, so maybe I’m glad this happened.

          (also, he already released it)

          • zout@kbin.social
            link
            fedilink
            arrow-up
            7
            ·
            11 months ago

            I get that, but suppose you start a package on NPM named “bronk”. Sometime later someone starts a company with that name. Should you just be forced to give up your package name, just because people suddenly associate the name with the company?

            • Aatube@kbin.social
              link
              fedilink
              arrow-up
              1
              arrow-down
              5
              ·
              edit-2
              11 months ago

              Azer’s repository for his package was made five years after Kik Messenger was released.

      • nick@midwest.social
        link
        fedilink
        English
        arrow-up
        15
        ·
        11 months ago

        Hard disagree. I took much delight in watching the internet collapse when he deleted HIS PROPERTY.

  • Admiral Patrick@dubvee.org
    link
    fedilink
    English
    arrow-up
    42
    arrow-down
    1
    ·
    edit-2
    11 months ago

    I always reel in horror when projects have tiny, ‘negligible to implement yourself’ functions like these as dependencies. See also: is-even 🙄

    Edit: is-even has a dependency on is-odd which has a dependency on is-number. 🤦‍♂️

    • GigglyBobble@kbin.social
      link
      fedilink
      arrow-up
      11
      ·
      edit-2
      11 months ago

      And the whole implementation of is-number which is at version 7.0.0:

      module.exports = function(num) {
        if (typeof num === 'number') {
          return num - num === 0;
        }
        if (typeof num === 'string' && num.trim() !== '') {
          return Number.isFinite ? Number.isFinite(+num) : isFinite(+num);
        }
        return false;
      };
      
      

      The node.js ecosystem has always been madness.

    • Pennomi@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      3
      ·
      edit-2
      11 months ago

      JavaScript is a dangerous shitshow for this exact reason. Dependencies are a security and stability nightmare.

      • Admiral Patrick@dubvee.org
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        1
        ·
        edit-2
        11 months ago

        Eh, I’d say any language that offers a package repository is just as susceptible. I’m neither pro- nor anti- dependency, but I do always try to keep them to an absolute minimum regardless of what environment I’m working in. Sometimes it makes sense to not reinvent the wheel.

        • Pennomi@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          ·
          11 months ago

          Yes, but other languages have exponentially fewer packages that install when you add something, making the attack vector smaller and easier to monitor.

          The best way to fix this is for library authors to avoid installing as many sub-dependencies as possible (is-odd, being an obvious example). But that’s a fundamental culture problem.

  • Blue_Morpho@lemmy.world
    link
    fedilink
    English
    arrow-up
    31
    arrow-down
    2
    ·
    edit-2
    11 months ago

    The only part of the story that I’m pissed at is NPM corporation restoring content on their server that they didn’t own and published it to millions for profit.

    Koçulu removed left pad. It was his code.

    Can you imagine the lawsuits if when Disney pulled the license for Avengers on Netflix, Netflix responded with:

    “Millions of customers got errors that Marvel Avengers is missing. So we put Avengers back on our servers.”

    • xor@infosec.pub
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      2
      ·
      11 months ago

      you should see the “is_odd” package…

      it’s like, return (num%2)? true:false

      • 𝘋𝘪𝘳𝘬@lemmy.ml
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        1
        ·
        11 months ago

        People using this deserve that their code breaks. Absolutely ridiculous.

        Neither this, nor the leftpad thing, nor this is-even “package” are things I would even think about for a second before just writing it on my own. I wouldn’t even consider those features (let alone packages to depend my code on!) but basic programming.

        • xor@infosec.pub
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          11 months ago

          well although 1 evaluates as true and zero as false, it’s not the same thing…
          so yes, i did…

      • 50gp@kbin.social
        link
        fedilink
        arrow-up
        3
        arrow-down
        2
        ·
        edit-2
        11 months ago

        at which point do you blame the language for not implementing it natively?

        • Rikudou_Sage@lemmings.world
          link
          fedilink
          English
          arrow-up
          9
          ·
          11 months ago

          I mean, does any language implement is_odd() natively? Doesn’t everyone implement modulus and pretty much assumes that you remember modulus from elementary and can infer that even numbers are those where x % 2 == 0.

        • 𝘋𝘪𝘳𝘬@lemmy.ml
          link
          fedilink
          English
          arrow-up
          6
          ·
          11 months ago

          at which point do you blame the language for not implementing it natively?

          Erm … What more native than number % 2 do you want to have it?

          • Ephera@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            5
            ·
            edit-2
            11 months ago

            2.is_even()

            (I don’t know, if this is possible in JS.)

            • 𝘋𝘪𝘳𝘬@lemmy.ml
              link
              fedilink
              English
              arrow-up
              4
              ·
              11 months ago

              Let’s call the number variable just x, you then have literal math (Euclidean division) if you ignore === instead of = for equals.

              x % 2 === 0
              

              This can’t get better or more native than “just math”. This is the whole code you need to detect if a number is even. I wouldn’t even call it “code”.

              If you remove whitespaces and ignore the type you end up with x%2==0 which is 6 characters long and a fully valid if clause. No magic involved, no abstraction, no weird function calls on integers …

              I see that in modern JS this type of coding is a trend, but you can’t tell me you want to replace 6 characters with an own module or a package. :)

              • Ephera@lemmy.ml
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                2
                ·
                11 months ago

                No, I want that in the std lib. Yes, it would just call x % 2 == 0 underneath. But the advantage is readability. I’m in principle aware that x % 2 == 0 is true when the number is even, but I need it seldomly enough that I do still need to think about it for a second before I know for sure. I don’t need to think about x.is_even(). And the readability is what I want natively, i.e. in the std lib.

                It being in the std lib would also sidestep your concerns about security or the function call having unknown side effects.

        • Aatube@kbin.social
          link
          fedilink
          arrow-up
          6
          ·
          edit-2
          11 months ago

          Isn’t %2 already native?

          (BTW this thing failed JavaScript so hard ECMA immediately included it in that year’s standard)

  • pHr34kY@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    11 months ago

    It’s 11 lines of trash code too.

    The way the function reallocates memory would bring your computer to a crawl on a large string.