This whole debacle mirrors Gamergate
I didn't have a bloody clue what was going on then, either.
Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koçulu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koçulu yanked his …
ITYM the whole debacle shows up the standard use case for javascript for what it is - a fragile conglomoration of scripts scattered about the internet which then get dragged into a web page when its loaded giving multiple points of failure. Aside from that, I can't actually think of a more lax indifferent approach towards security with a better attack vector for malware in the whole progamming world.
"Yeah , lets just load in joescode.js from scrits-r-uz.net each time our page is loaded and hope it hasn't been broken/deleted/corrupted". What a brilliant development model!
Javascript kids - is it really so hard to download common code onto your own website having checked it first Ok, maybe you won't get updates so fast but you won't get shafted like this either.
Well not really much. Developers will get the dependencies as they work (using bower or whatever the JS dep manager tool of the week is), and then build a single JS file at deployment time (using webblywobblify or the JS build tool of the week), and that goes up to the server for production. I doubt anyone has every done <script src="http://randomsite.com/pad-left.js">
I'd only ever load something from a non-local site if it was something I regard as stable, popular, and coming from a robust CDN.
Node modules aren't loaded on page load separately, they are usually bundled into something larger. Think like Python modules or C libraries, they're part of a larger whole (except in this case they're JavaScript). I don't think that unpublishing his packages would 'break the internet', it would just stop people from updating their modules during development.
For client side JS, competent devs compile it into a bundle anyway and load it server side. Everyone wants you to use their CDN for some reason though.
The node package manager (npm), though, is abominable and incredibly easy to break.
I also think it's bullshit that the npm maintainer re-published his packages - if they give him the ability to unpublish his work, they are giving him the agency to do so at his choice. Someone could publish a new left-pad that does much of what his script does instead. Then he could sue them for trademark infringement and create a constitutional crisis.
That may be your working model, but look at the majority of medium to large websites - their pages all load seperate javascript files from assorted sites.
Yes. This is readily apparent when you run something like NoScript. Oh, look, scripts from a dozen domains are blocked on this page. Let's temporarily allow some to try to get this thing working. Great, those have remote dependencies on scripts from another dozen domains...
ECMAScript is the C of the decade. In certain domains it's perfectly suitable, but it's widely used by people who ignore its pitfalls for purposes it is not well-suited for. It's possible to write good ECMAScript code, even for non-trivial projects, but it requires discipline - something few developers seem to care about.
Define "good" ECMAScript.
EMCAScript doesn't expose a modulus operator nor define a method of modularising applications.
In short, it's a hack lacking in almost every meaningful way the basic utilities one takes for granted in languages invented after COBOL, it's neither portable nor well-specified, both of which gave C it's longevity.
Being used by people who don't know any better is hardly a reason to drag's C's good name into the gutter.
"Javascript kids - is it really so hard to download common code onto your own website having checked it first "
Exactly! Is it any wonder that pages take so long to load when shitty little bits of code any beginner could knock up have to be dragged in as *live* dependencies from some 3rd party server? WTF are these people thinking? FFS, this left-pad thing was one of the exercises in BASIC programming in GCE "O" level Computer Studies (No kids, that wasn't a mistake, GCE predates GCSE, yes THAT long ago) back in about 1979 when I took the exam.
For that matter, WHY are there even code snippets like that even made available for live linking? No one could possibly own any IP on such a simple and obvious technique.
Yeah, it's not 2005 anymore. No production webapp is built that way. If yours is, you've got some shitty Web devs on your hands. You need to give them a week to learn what a gulp plugin is, or they're fired.
Yes, that's right, we primitive javascript "kids" have discovered these miraculous things called build tools! Anyone would think it was a real language or something. Dipshit.
Did you not even bother to read this comment thread before adding to it? This has already been pointed out. Left-pad was not being "live linked", but pulled in as a static dependency at build-time. This did not "break the Web", it broke nightly builds.
Get down off your high horse before you get a nose bleed.
So, what you're saying is that your organisation's software development process can be stopped at any time by a third-party in a different jurisdiction. I'd love to have the kind of Programme Manager who'd hear that and say "Oh, the builds are broken? Because a guy in XYistan broke a module? And he's not answering his mails? That's fine. I'll tell the client that the service won't ship until an indefinite date in the future, and you guys can all go home early.."
The purpose of any build system is to produce repeatable outputs from your source-code, and to provide an audit trail for your releases. Repeatable is hard when you effectively do Lucky Dip dependency resolution. A build-system worthy of its name can check out any previous release of software by ID, and produce a binary-identical output product to that. A build process is language independent: you might need different tools, but using a particular language for development doesn't magically absolve you from responsibility.
Live-downloading isn't a "static dependency". "static" means "not moving", and you cannot guarantee that from a remote resource. You can barely even guarantee that if it's your dynamically-fetched resource. (Versioning components doesn't help you; you're still relying on strangers to not change code without re-versioning...)
So, if you're live-downloading every time you make a build, explain to me how you guarantee that those remotely-fetched dependencies don't dramatically change between the developer writing the unit tests, and your automated build system running them? There's a good way to waste development time. Also, how do you guard against someone maliciously injecting a backdoor into that crypto class you download every time you make a build.
More to the point (and this is the real reason companies spend money on revision control and build systems): Imagine it's next year, and you're being sued for doing something nasty, and to provide evidence of your innocence, you've got to set up a server with your company's software the way it was on the day of the alleged offence. How the hell are you going to rebuild it? Wayback Machine? Well done, you've just handed their lawyer the downpayment on a yacht.
ALL dependences used by a project must be accounted for. If you're not doing that, you're just wasting time and effort - you've got a glorified compiler/packager that offers no better consistency or auditing than just deploying straight off a developer's workstation.
>Left-pad was not being "live linked", but pulled in as a static (static eh?) dependency at build-time. This did not "break the Web", it broke nightly builds.
>Get down off your high horse before you get a nose bleed.
Way to reinforce the original poster's overall point Mr. Web "Developer". At least your UI follows whatever web 3.0 industry design guidelines are in fashion currently with the hipster millennials eh?
". No production webapp is built that way."
Except every one of them. I'm using NoScript and it tells me directly what domains/sites javascript is trying to access. This page alone has 6.
Allowing all 6 creates 8 new ones. No idea what kind of 'production webapps' you use, but that's the way web pages are generated nowadays.
Oh yeah, you read an article and you advising developers on how to organize their work, really? Do you have any comprehension of how the entire stack works and what was actually deleted and loads from where? yeah that webpage you made in 98.... You are are demonstrating your profanity - you have no idea of how expensive it is to produce production quality, reusable code. The reason why the open source community exists is because it is efficient and reliable.. but yeah script kids, playing jenga code.
"This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people"
So he moved to github lol.
Thankfully I wrote my own padStart function as a polyfill. Eventually, in like 10 years, ES7 will add padding a string to JavaScript as standard.
Oh please, 30 years ago was 1986, the year the Spectrum 128 and BBC Master 128 were released, they were hardly long in the tooth then, 4 years old in the case of the Speccy, 5 in the case of the Beeb.
Still a great fan of both platforms, the Sinclairs for bringing computing to people who coudln't otherwise afford it and the BBC for creating an excellent machine with a structured basic, an understandable accessible OS and a proper assembler, in ROM.
Still have one of each set up here (although rather modifed/expanded to make use of modern storage solutions, CF and Ethernet in the case of the Speccy, SD in the case of the BBC (Bit banged SPI using the user VIA to do SD access)), if curious see: http://kupo.be/tpics/oldsystems20160307.jpg
Actually Basic was introduced into classes at Dartmouth College 52 years ago, and I suspect that padding a string on the left was something that cropped up in class within the first couple of years of using it as as a teaching language. By the mid-70s it was used all over the place. So I think 40 years ago is more likely than 30, and it 's quite likely that it turned up in a tutorial developed at Dartmouth 50 years ago.
"What's wrong with a repeat string function then right(lengthNeeded)?"
String.prototype.repeat
didn't officially exist until last year. Yes it can be done more efficiently than repeatedly adding a single string together. (Mine takes no more than 2 × log2(N) concatenations to produce N repeats.) But typical paddings are a handful of characters, so that's probably as efficient as anything: remember we are on 64 bit machines where you can have 8 utf8 characters in a single register; concatenation is just bit shift and bitwise-or.
>Thankfully I wrote my own padStart function
This chimes with me as well. How often, in Python/Django you see an SO question that requires 20-30 lines of code.
With the recommendations to pip in package XYZ that does it for you. Now you have an external dependency for something super trivial.
JS should really tweak some basic stuff though. Even the humble sprintf seems missing. I use Handlebars for that now* but it's like swatting a fly with Yamato's 18"s.
* and mostly for templating
It would have been truly karmic justice if by removing the NPM code, Kik's own website went down. Do they have a website? I have no idea, it just isn't worth the bother to look at them.
They have a website with the worst privacy policy ever (you can't examine the whole policy, you have to walk through it one chapter at a time), and despite being apparently a Canadian company (don't know this for certain - I'm really starting to dislike companies that don't put their address on their website) I would not trust them with ANY data because they appear to genuinely have no idea how to protect their users.
Not that I would ever use them anyway as I'm quite happy with the apps I have, and I am rather unimpressed by how they took this on. Overzealous lawyers are IMHO more a corporate risk than a benefit.
No, that's wrong. Every package has its own license, which may or may not be permissive. E.g. often see GPL, MIT or Apache licenses.
I notice that the left-pad utility in question actually has no explicit license so is covered under normal copyright laws which could raise interesting questions for users who haven't checked they've got explicit permission to use it anyway.
I dunno, old status page shows the license as BSD:
http://web.archive.org/web/20150922113035/https://www.npmjs.com/package/left-pad
The author now updated the meta info to WTFPL, which is decidedly non-FOSS-compliant ;), but still works in this case.
Of course the salient point is whether metainformation constitutes a valid license specification. IANAL, but I suspect NPM have a strong case in that regard (not that I condone their general behavior, as stated in the prior post).
IANAL, but I don't think it's legally open-source. The only words about copyright/license in the entire commit history (at https://github.com/azer/left-pad) are these two tags in package.json:
"author": "azer", "license": "WTFPL" [originally "BSD"]
No BSD license text. No "Copyright 2014 (real name or alias)".
DMCA takedown in 5... 4... 3...
None of this puts npm as an organization or as a package manager in a good light. They'll instantly cave to vague threats and willingly change ownership of a package (kik) to do the bidding of a 3rd party in contravention of their own dispute policy. If you terminate your agreement with npm, they'll keep your IP (left-pad) if it suits them, in contravention of their own terms of use. Who was it that removed the BSD license and changed it to WTFPL? If not the author or at their behest, then someone violated the license terms.
To my mind, it also seems a little worrisome that there are so many dependencies built into these packages. You really need to add a dependency for a simple text padding function? Really?
>"I mean, come on, what's more open and free than "do what the f- you want"?
>Does that mean I'm free to copyright it?
It's a license to use something to which someone else has copyright. Copyright is the possession of the *author*.
Copyright can be assigned but the *license* doesn't assign the copyright (and it can't, logically; then it would be a copyright assignment, not a license.)
You can copyright any derivative, but if you ask a lawyer the lawyer will still want to speak to the author of the original work.
That's why when you go to work for someone else they ask you to sign away all your copyright rights. Oh, no, they don't actually *ask*, it just happens when they pay you (see the 'for hire stuff', and this is only in the US, which didn't adopt standard copyright laws until very late):
http://dearauthor.com/features/reclaiming-your-copyright-after-thirty-five-years/
John Bowler <jbowler@acm.org>
I've no idea what the NPMs terms are, but publishing content against an author's wishes seems more significant than withdrawing content because it has a name that clashes with that of another, unrelated, product.
And in the time it took them to write that PR statement, they could have written their own implementation of "left-pad" and published it under the old name and version, avoiding any legal or ethical issues around restoring the original code.
Ah, well. Maybe this will be an object lesson for people who use NPN, and maybe it'll draw some well-deserved ire down on Kik.
Well, if he published it under one of the FOSS-compliant licenses (or a few of the non-compliant OS ones), as long as NPM had a copy of the package, they were free to republish without violating the license. And in general it's a Good Thing™.
However, fail icon since the NPM folks clearly made an half-assed job PR-wise and acted shittily towards the developer - it doesn't seem likely that the trademark case would hold up in court.
Come on, the code in question is trivial.
As a few people pointed out this is like taken from a 30+ year old basic tutorial. It will probably fail the Lego test of copyright - you cannot copyright the "natural form" of something. You can patent it, but not copyright it.
Granted, javascript is a primitive language, but none the less, even with all of its primitiveness I would have expected it to do this as a part of the base spec (*) in one line. Python and perl certainly do - * and x operators on strings respectively.
(*) I am aware that char repetition was added to the spec last year. That is still not pattern repetition or string repetition, which Perl has been able to do for more than 20 years in a single statement and Python for more than 15.
Exactly. If he published his code before the company was official then he can turn the whole thing on it's head & sue them for the very thing they're claiming he's done.
I hope he can, does, wins, & gets enough in damages/penalties to put the bastards out of business.
Yes an application developer deserves to be paid for their hard work, but not if you're doing it by shafting the programmers that make your code possible in the first place.
"Timing has little to do with trademark infringement, it's more about perceived good will in the brand and whether the brands could be confused, i.e. whether they cover the same 'class of goods'"
Except in the US where Intel were able to stop an HR company calling itself Gentium (!).
The real problem is that US law has no concept of "de minimis non curat lex" which in this country would get any potential case thrown out as the risk of confusion was so obviously zero.
(And I hope Kik the company dies painfully of negative cashflow while its executives are left to beg on the streets of Juarez, but that's just my view.)
>> whether the brands could be confused, i.e. whether they cover the same 'class of goods'
>By threatening to sue, Kik implicitly asserted that that's the case. Oops... muahahah.
It may well depend on what classes of goods Kik have trademarked with this branding - while they may currently be known for some shoddy messaging app, they may have also trademarked "Kik" in a variety of places/contexts.
A long time ago, there were a few articles laughing and pointing fingers at Mick Jagger for filing trademarks on his name in a variety of classes involving soap and perfume. Lawyer-type back talk was that he did this merely to prevent someone else from doing it.
I still think Kik are behaving shittily, though
" it's more about perceived good will in the brand and whether the brands could be confused."
Classic example I put up. The name "Cracker Barrel" has at least TWO non-conflicting registered trademarks (meaning the government has looked at them and agreed they're non-conflicting): one belongs to Kraft for a brand line of cheeses, the other belongs to a restaurant chain with an old-town theme appropriate for the name.
> it's more about perceived good will in the brand and whether the brands could be confused,
He could argue that there is no risk of confusion but now Kik can't their legal missive is proof that they believe that confuse arises so they've shafted themselves. They can't now argue that their is no confusion because they've legally stated that their is.
Sadly, in Canada (where the complainant is based) both trademarks and patents are issued on a "first to file" basis, not a "first to invent" basis.
This means that a trademark troll can register a trademark on your existing but unregistered brand, then force you to change your brand name, provided that he actually uses his trademark for a commercial product, and that the product in question is of the same general classification as yours (e.g. software).
Even so, these caveats have not actually dissuaded trademark trolls (such as Apple) from threatening those with similar branding for entirely unrelated classes of products.
This is one of the many things wrong with the way Node.js is used in practice. NPM is dominated by a company called NPM Inc., which basically runs a code hosting site. However, people routinely automatically pull packages from it when they have no idea what is in them or whether any changes have been made in the rat's nest of dependencies that they don't even know exists. If NPM Inc. were to do a SourceForge and start doing who knows what, loads of software systems would be stuffed as their automated develop/test/deploy systems are built around NPM Inc being there and being trustworthy.
But if you want to use Node.js you pretty much have to get stuff direct from NPM. There's not a lot of direct support for Node.js libraries in typical Linux distros. For example, if I do a search in Ubuntu 14.04, there are only 146 Node.js associated packages. If in contrast I do a search for Python, I get 4656 results. And those 4656 results will in most cases be non-trivial items, useful, and with a reliable history behind them, because they wouldn't get into Debian (and thus Ubuntu) otherwise.
I evaluated Node.js and Python for a project a couple of years ago. I wrote a simple server which exercised the core functionality where I expected to find the bottleneck. I couldn't find any decisive performance advantages for Node.js, as the "winner" depended upon the nature of the data being sent. Node.js's theoretical JIT advantages were negated by Python's more efficient libraries and the fact that Python has a lot of functionality built into the language syntax (where it runs as the underlying language run time machine code) instead of writing a lot of explicit byte twiddling code. Add to this the fact that a few lines of Python equal many lines of Javascript (e.g. this 11 line string padding function would be a one-liner in Python) and I find it pretty hard from a business perspective to justify writing anything using Node.js.
P.S. - Look for a repeat of this fiasco with Docker, since Docker Inc. has applied more or less the same "walled garden full of wild toad stools and noxious weeds" business model to the container field.
P.P.S - The "left-pad" package is at version 0.0.3? WTF? Were there 2 previous versions that had to be fixed? Was he planning on putting out a 1.0 eventually?
Your clams are incorrect.
1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc.
2. NPM does actually allow "shrinkwrapping" of dependent modules, which would safeguard your code from a module disappearing on npm.
3. The attack on Docker is even less warranted since Docker doesn't force anybody to host images with them, rather: every responsible company using Docker in production hosts all required images themselves (software for doing so is widely available).
4. Node.js will smoke-out any Python code in I/O-intensive operations and nobody knowledgable ever claimed Node was "faster" than Python for CPU-intensive work. Also that debate is complete out of scope for the article at hand.
>Go will smoke out node.us on any I/O intensive operations.
Indeed. No one of clue should be using Python or Node for a web server. They're both ludicrously slow - Python more so than Node, but Node isn't exactly speedy.
Between Django, Flask, Rails, and Node there's so much Lego Level Developer bullshit in that space it's not true.
See e.g. some benchmarks.
>Indeed. No one of clue
Generalizations, the hallmark of brilliance. Not.
https://www.shoop.io/en/blog/25-of-the-most-popular-python-and-django-websites/
There are plenty of big uns on Django. This was the first link I found and some claims seem dubious, but the fact stands.
Or would you code a site in C++?
Java? Please. Much as a missing lpad in JS is silly, didn't Java programmers have to wait till java 7 for a built-in File copy?
1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc.
I call apples and oranges.
AIUI, (and hell, I try and keep clear of all this shit) Web 2 "design" loads shit dynamically from places all over The Interwebs. So if any of that breaks, your website/app iimediately breaks.
It hardly needs saying that RedHat/CentOS/Debian/Ubuntu package management works nothing like this.
For starters, the packages aren't dynamically loaded. And it's all cryptographically signed by the distributor and verified on installation. Does your website demand that the browser does that with every Random Piece of Javashit that it grabs ??
I could go on....
Red Hat does this little thing called "review" and "Quality Assurance" before the code goes anywhere near release process, let alone signing and publishing in repository.
As does any other half-decent Linux distribution. Hell, even Apple and Google do at least cursory review of the fart apps they ship through their package managers.
While anyone can publish anything on sites like PyPI, NPN, RubyGems... Admins/Moderators/Owners of those simply Don't Care™
"1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc."
Better package managers, like NuGet or Ruby Gems, don't allow users to delete their packages once they've been published, precisely to prevent the problem that has happened here on NPM.
Of course even with those you still have the risk of your dependencies disappearing due to legal threats or other special circumstances. I've never really felt comfortable relying on pulling my build dependencies from a package manager, even if it is the recommended model with the likes of NuGet.
*"...Look for a repeat of this fiasco with Docker..."*
At the risk of sounding like an old codger, I think this is symptomatic of 'the yoof" of today.
Now I'm all for DRY and "not re-inventing the wheel" but sometimes I think we've gone too far the other way. No fecker bothers to work out how to do anything for themselves any more. They just bolt together a load of packages built by someone else and hope it works.
I'm in no way a high-level coder, but I do freelance web developement, some JS tinkering and server config and I hand-code most of what I do.
I've been called in on a few occasions to help web developers at design agencies who need something adding to their site, or to troubleshoot when they can't get something to work.
A lot of the time I find they've no idea what's going on in their own code because they either build the sites in some WYSIWYG app like Dreamweaver without ever looking at the HTML which is being output or –if they're feeling really adventurous, they "Hand Code". By which they mean download Twitter Bootstrap and embed jQuery in it –again, without having any idea what any of the code is doing. I've seen jQuery used on websites, solely to provide some minor functionality that a single line of JavaScript could do.
Seems to me NPM and [since you mentioned it] Docker are just more examples of this. Only Docker is bringing the practice to server management.
Instead of actually doing a bit of `apt-get` and setting a few config options, just press the big magic button and the internet unicorns will set everything up for you. It doesn't matter that you haven't a clue what's going on and have now idea how any of it works [or what to do when it doesn't] –congratulations! You are now a "Server Administrator and Back-End Developer"
"They just bolt together a load of packages built by someone else and hope it works."
'round here we call them Lego Coders. Like most three year olds, they recognise the pretty coloured blocks and can make them fit together in some random, occasionally useful, way.
just press the big magic button and the internet unicorns will set everything up for you. It doesn't matter that you haven't a clue what's going on and have now idea how any of it works [or what to do when it doesn't]
And this brings us back to the old SF story referenced in another article's comment section the other day, E. M, Forsters 1909 short story "The Machine Stops, or for those who prefer not to read, the BBC Out Of The Unknown episodes, a 100+year old story of how tech developers don't know how their tech works and can't fix it when it breaks.
The change log:
0.01 - first implementation of leftpad(). Left pad to fixed length of 64 chars. Pad with the fixed string 'banana'. Send padded string to Microsoft telemetry server.
0.02 - correct logic to left pad rather than right pad. Allow setting of both length and pad character, following user requests.
0.03 - don't go into an infinite loop if pad string is ''. No longer send padded string to Microsoft. First stable version.
If ch isn't a single character, then the len param makes no sense. Calling leftpad with ch set to 'fondue' and len set to 100 won't result in a 100 character string.
I can see v0.04 being required pretty soon. I could of course submit a patch. But I don't care enough about left padding strings in JS.
1. Why is actual serious commercial software being written in a language where you have to include and external component just to left pad a string?
2. Why is actual serious commercial software being written using components that are themselves written by unpaid bedroom coders and chancers who have no liability, no SLA etc.. Who are the idiot project managers who allow this?
1. Because everyone knows Javascript is cool, so software written in it must be cool too.
2a. See 1.
2b. The less an IT project manager knows about actual IT, the smarter they think they are. "I'm not an IT guy, I'm an PM, so I've planned in your task to take 3 weeks assuming you started in December. So why isn't it done?"
1. Why is actual serious commercial software being written in a language where you have to include and external component just to left pad a string?
Because JavaScript is the only option if you want your application to run in a browser; and lots of people want that because it means applications that don't have to be installed on a client machine, so you don't need to distribute a version for every operating system and then hope the users can install it themselves. JavaScript, like every other language, doesn't have every possible feature, so you have to make it yourself.
2. Why is actual serious commercial software being written using components that are themselves written by unpaid bedroom coders and chancers who have no liability, no SLA etc.. Who are the idiot project managers who allow this?
Lots of serious commercial software uses open source software, the advantages to the project manager are cost and the ability to fix or tailor it yourself if you need to. Unless you've never written a significant commercial system, you've probably been doing this yourself, but you just didn't know.
1. Javascript is now being used outside the browser. Node.js is one of such runtimes. Having to rely on such large number of incoherent dependencies is a very bad way to design and write code.
2. Serious commercial software developer likes professionally written libraries. If source code is available, that's a plus. Just, not only open source code is available. I use several closed source commercial libraries for which source code is available. Of course, you pay for it, but the cost is offset by the ability to debug or modify it if needed. If you use open source just because it's cheap, believe me, you have a problem...
"Left-pad was fetched 2,486,696 downloads in just the last month"
There are LOADS of reasons why the current dependence on 3rd party sites & domains of websites is stupid, not just this example.
Privacy
Security (not serving malware if someone hijacks a domain)
What's wrong with actually storing everything your webpage /site needs on your own server? If a site with a lot of transactions you can even cache whatever it is in RAM, or even on another server.
This is an example of what's wrong with programming and website development. As for people using google's content to make their site go ... Well just stupid and a poke in the eye privacy wise of their users.
Unless you're a real idiot developer and deserve to have a broken site you *wont* be loading your JS from lots of random sites. You'll use bower to download the dependencies into your project where they will live quite happily. You then push your site to the server. And the site will work even if the original dependency developer throws their toys out from the package archive.
What will then break is the build process. The site wont. Nobody has <script src="http://npm.org/left-pad.js"> in their site - alongside the other 2000 script tags you need it would take forever to load.
It's done so that large libraries will not need to be downloaded by each visitor to your site as many will already have the library cached from another site.
Therefore, especially for mobile devices, having the various versions of jquery already cached on your device (from visiting a different site which uses the same resource from a central repository) means a much quicker download of your webpage. It can also reduce latency as the CDN is likely to be closer to your users for global queries, reduces bandwidth from your server and helps avoid any browser (or server) limits with parallel requests.
Sites that do this should use fall back of course to serve locally if the CDN is not available. However, as for privacy most sites are using Google analytics any way and for all their worth Google servers are pretty secure (at least from randomers).
There is tradeoffs of course an in an ideal world people would just use specific functions they require written in a pure scripting language (or even just a markup language) and not use libraries at all to minimise bloat etc. However this is the real world and browsers are optimised to run libraries fast and developers are expected to belt out solutions at a high rate of knots.
...said library call would be compiled into your local image, not yanked in from a remote site in most languages. However I'm not aware of many languages supporting standard libs with a leftpad function so you'd actually write your own, inline that 1 liner function or embed it in higher level string formatting.
I agree with what you are saying, but there is also the possibility a library is full of bloat and dependencies and 'who knows what' and, if an external resource as here, could disappear at any instant or change in some unexpected way which breaks things.
It's not a binary choice of use libraries or don't, it's a more complicated matter than that.
I was surprised how much broke for what is such a simple function which I would have in-lined myself. In this case the library could be restored, but it would have been a different matter if it could not have been.
Hopefully this will be a wake-up call for those who slavishly use third-party libraries without ever considering the consequences of doing so.
In my case, even the ones I "supposedly wrote" can be found in "The Art of Computer Programming" [Knuth] or the literature since. I pretty much wrap it all in validation code and off I go to the next piece. I've had to create whopping two original algorithms in my life to date. I even comment in the code as to where I got something and why I'm using that particular code. To me, that's just being [1] honest and [2] letting the maintainers have a heads up if some future "better technique" should come along and where to fix it.
I'm an engineer which means I build things with the tools and components that Computer Scientists have developed to date. Ain't any different than my approach to nuclear, or any other field of, engineering. Yeah, I really can do the theory end of things (extremely well in truth) but that is not how I want to spend my time, thank you very much.
Given how development is done these days, I'm actually surprised there wasn't truthfully much more breakage. Dreamweaver (a tool I used to beta regularly for Macromedia way back when) was a leading indicator of where web coding was headed.
"Sounds Kool. Where'd the name come from."
I keep seeing on my travels and thought what a clever word.
Kik.co.uk
Kik-Kid.nl
kik-textilien.com
kikschools.org
kikik.net
kikradio.com
...
I wonder if the lawyers sent all of these a threatening email...
I naively thought the whole point of OSS was that the developer(s) couldn't one day just throw a wobbler and tell you that you couldn't use the code anymore. Or suddenly decide to charge you loads of money. Not, of course, mentioning any names such as Microsoft.
As far as I can see this developer has had a spat with the firm hosting the code, and made it very public by pulling all his code from the repository. Obviously effective from the article here.
Just needs someone else to pick up the code and re-publish.
As already commented, hopefully this will make developers think a bit more about where their code comes from. Then again this does make for very Agile coding.
> I naively thought the whole point of OSS was that the developer(s) couldn't one day just
> throw a wobbler and tell you that you couldn't use the code anymore.
...
>made it very public by pulling all his code from the repository
...
>Just needs someone else to pick up the code and re-publish.
But from the bottom of the article:
"Meanwhile, Oakland-based Koçulu has hosted his work on GitHub. "
so it is all still published and accessible - just not from NPM. Ok, that "just" seems to lead to some fun times...
"I naively thought the whole point of OSS was that the developer(s) couldn't one day just throw a wobbler and tell you that you couldn't use the code anymore."
Open Source means exactly what it says on the tin. The Source is Open for all to see. Depending on how it's licensed, that may be all you can do with it. Look. More likely, it will be licensed in a way you can use it and even redistribute it, but there are likely other terms and conditions attached such as "paying back" your changes, or always attributing the original author, or making your own code which uses the licensed code use the same or a similar licence, or any of a million other conditions. It's quite rare for OSS to be completely free simply because in some jurisdictions that means someone else can come along and copyright/patent/trademark it and effectively legally steal it from you. If you want your code to be free for all to use then you have to release it with a licence stating that it's free to use and modify but that you retain your original rights over the original code at the very least.
If you search for "npm as user", one of the top results is a page I wrote in 2011. Five years later, NPM still wants to be installed as root. WTF.
I could easily unpublish this page -- linked to by a bunch of Stackoverflow answers and so forth -- and there's not a damn thing anyone can do to get it back because it says "All rights reserved" at the bottom. And if I unpublish in protest, I *will* follow up with takedowns if anyone reposts it.
I think I'll leave it for now. It's not exactly a ringing endorsement :)
This piece of code is a trivial function that I'd use as part of a standard library package, its not some kind of carefully crafted software component.
Is this what programming has degenerated into? A random collection of source code fragments, each owned and guarded by some individual (or, worse, some corporation)? Doesn't this show the inherent weakness in relying on distributed script fragments for a code distribution? Doesn't it highlight what a mess Javascript is -- its worse than BASIC because at least BASIC doesn't have pretensions towards being a properly structured language.
"Is this what programming has degenerated into?"
Nope. It is what JavaScript has degenerated into and it is debatable whether it has actually degenerated. It has always been the case that if your JS program is more than a hundred lines long then you've probably chosen the wrong language. At the time JS was introduced, it was intended to let you fine-tune a web-page with a few DHTML events, but if you wanted to do any actual programming then *obviously* you'd use a proper language and Java was available.
Sun and Oracle between them have more or less killed off Java in the browser (with years of consistently shit implementations and legal barriers to third parties doing something better), so *now* we have no other language for this platform except JS. The fact that no-one is sufficiently worried to fix this problem means either that nothing important is actually done using browser-side code or that everyone involved is an idiot. You choose.
Edit: For the avoidance of doubt, I should say that I *like* JS. It's typeless nature makes it really good for really small tweaks, which was its intended domain. I'm just aware that the same characteristics make it really bad for anything really large.
this problem was created by lazy J.S. code authors.
Think about it: how hard _IS_ it to write your OWN 'left script' function? Well, if you KNOW how to CODE, it's trivial.
But you see all of these javascript 'things' out there depending on other 'things', which depend on other 'things', apparently TRIVIAL things, because nobody knows how to CODE any more [except for a handful of 'thing' authors].
Everyone ELSE is just chaining up a bunch of 3rd party schtuff into an "app" and calling THAT 'coding'.
This has grown into a kind of 'DLL Hell' for Javascript. Personally, I'm *GLAD* to see this happen, because I'm *SICK* and *TIRED* of the *ABUSE* of scripting on the web.
For safety, I surf with the NoScript plugin BLOCKING it, unless I see some compelling reason to ENABLE scripting, and on a site by site basis. Example, I have to enable SOME of the scripting [and temporarily unblock cookies] to post HERE.
As a result, my pathetic-bandwidth connection isn't hauling gigabytes of CRUFT behind every web site I visit, with that CRUFT being MOSTLY due to embedded TRACKING and ADS anyway. (who wants THAT downloaded, especially if it causes 'overages' in your bandwidth cap)
CDN's are equally *EVIL*, like enablers of script addicts. It's hard to say WHAT gets enabled if you unblock one of them.
Often it makes a *LOT* more sense to host the script YOURSELF, on YOUR web server, and maintain it YOURSELF, and trim out everything you DO NOT NEED, instead of relying on CDNs to refresh that MONOLITHIC MONSTROSITY library every time someone adds a comment or changes spelling in some text thing, forcing *THE* *WORLD* to waste MORE bandwidth re-downloading the "package" because it's not smart enough to only refresh 'small changes'. Or whatever.
[OK some of this is exaggerated to make a point]
But, if it's possible that "3rd party thing" can BREAK YOUR WEB SITE, you should WAKE UP NOW and FIX this problem (host script on YOUR server), instead of waking up at 0-dark-30 in the middle of a hangover when your cell phone won't stop ringing, and it's work calling, and YOU have to fix it (and it's not YOUR fault - except that you used "that library").
Kik's head of messenger has posted his version of the story on Medium:
https://medium.com/@mproberts/a-discussion-about-the-breaking-of-the-internet-3d4d2a83aa4d#.lblcg37oa
With liberal sprinklings of my favourite twattisms; "awesome" and "reaching out", it's only helped reinforce my impression that KIK are the dicks of this piece of drama.
Definitely there are a lot of dicks: Kik.com/KIK Interactive (and patent agent) are the really big one's throwing their weight around for little real reason, NPM in the way they handled their end of the matter and 'Azer' who's responses don't do much to encourage people to support his case...
A quick look at the EU trademark database ( https://euipo.europa.eu/eSearch/#basic/1+1+1+1/50+50+50+50/KIK ) shows that they aren't the only company to have 'KIK' as a trademark and the others have been registered for longer...
A further search gives a total of 10 trademarks registered in the name of Kik Interactive/Kik.com
( https://euipo.europa.eu/eSearch/#details/owners/470259 ) - these include: KICK, KEEK and K...
Best summed up by this post, I believe....
Will Fife
20 hrs ago
Kik -> Azer: We want your name.
Azer -> Kik: Nope, already have an open source project
Kik -> Azer: We’ll sue you and make your life a living hell… but really we are nice people.
Azer -> Kik: Go AWAY
Kik -> NPM: Halp, developer mean :(
NPM -> Azer: Company nice… help us make friends with company.
Azer -> Kik: Fine… 30k and I’ll do whatever you want… everyone has a price.
Kik -> NPM: LAAAAAWWWYYYEEERRRSSS!!!! But really we are nice.
Kik -> NPM Developer mean :(
Kik -> NPM: LAAAAAWWWYYYEEERRRSSS!!!! Developer mean :(
NPM -> Azer/Kik: Sorry bro… Company nice.. company have lots of users.. sucks2bu. Kik.. tell me where to send the stolen goods.
Kik -> NPM: Thanks.
Azer -> NPM: Fine… I’ll take my ball and go home.
So, no it wasn’t just a polite request, once you threaten with Lawyers, its not polite anymore and its not a request. Your app has been uninstalled, and I hope all the bad press you receive destroys your brand completely.
Well, from reading the email exchanges made public and so on, it looks like everyone involved is coming off as a dick.
Koçulu seems to be less than professional and not particularly polite in his responses. The Kik people seem to have opened by threats of legal action if they didnt get what they wanted. When they offered compensation, Koçulu asked for $30K, and there was no negotiation on either side.
It would have been easier for Kik to have opened with "we'd like to take over the name, because trademark, and offer $10k in compensation". Even paying the asked $30k would have been so much easier and amicable all round. And, Koçulu should have responded a bit more professionally to the initial contacts, and not throw his toys out of the pram so soon - though I doubt anyone could have predicted how much would break from his removing the code.
> Koçulu seems to be less than professional and not particularly polite in his responses.
That.
Not impressed with Kik and not entirely convinced by NPM either.
But frankly when interacting with a community there's a minimum degree of politeness required and interacting with a business a minimum degree of professionalism.
Koçulu displayed neither and stamping his feet and taking his toys elsewhere just reinforced that impression.
Koçulu displayed neither and stamping his feet and taking his toys elsewhere just reinforced that impression.
He's probably done the rest of the world a favour though, assuming the world wakes up and takes notice. At least the pitfalls of using something hosted elsewhere have been highlighted. If you want it, it should be on your own server. If the licence doesn't let you host your own copy then don't use it, because you are vulnerable to it going away or being replaced by something dodgy.
"At least the pitfalls of using something hosted elsewhere have been highlighted. If you want it, it should be on your own server."
I think it was demonstrated about 5 seconds after the web was invented that if you depend on an image from a third-party site then the site can replace your image with something defamatory. Translating that experience to "code from a third-party site" doesn't seem a very big leap IMHO.
On the other hand, I suspect that if web browsers started refusing to load images from third-party sites, we'd discover that people hadn't learned this lesson at all. (There must be a Firefox extension that flags up cases where this is being done, but it probably counts as a terrorism tool now.)
So my guess is that *we* already knew that third-party code was a rubbish idea, just as *we* know about source code version control systems. But I'm sure there are a lot of people out there whose web-sites were hit by this and who told their bosses in all honesty that it wasn't a problem with *their* web-site. It was a problem elsewhere and could (and did) have happened to anyone.
I suspect that if web browsers started refusing to load images from third-party sites,
We get THIS ;-)
"""
Here’s The Thing With Ad Blockers
We get it: Ads aren’t what you’re here for. But ads help us keep the lights on.
So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.
"""
I got name-clashed by MySQL (and now MariaDB too) no less - they include a binary called "replace" (despite almost all their binaries having a "mysql" prefix), which was first shipped years after the "replace" utility I wrote was released. A polite request from me asking them to rename it to "mysqlreplace" was ignored, which is annoying because MySQL's replace command is not good to say the least...
To show that some people can see the humour in all this, someone has just added a joke Python version of left-pad to Pypi. https://pypi.python.org/pypi/left-pad/
However he also says: "Make sure to add left-pad to your dependencies in your next project. Or, if you want to reinvent the wheel, go ahead and try to do it with the standard library. s.rjust(len(s) + 2, '+')"
I had a look at the source, and it's just a one line function wrapper around the standard "rjust" string method.
One of the really WTF issues with this whole thing is that such a trivial feature has been such a popular third party Node.js module.
Apache Java StringUtils has a leftPad which bears a lot of resemblance to the Node.js version. I suspect the Node.js Javascript version was inspired by the Apache Java version.
I hate when people think that older = smarter.
Why do you need to link javascript with "kids".
As someone mentioned, get down off your high horses.
Be humble, learn from the youngers, from the older.
Life is made of experiences, not of how long you have lived doing nothing, watching TV or stuck in your bubble of old-days tech and languages.
The more you talk about all this stuff from the past, trying to look smarter or the knowledge king, more you look like a kid, trying to get acceptance and reward in the world that you wrongly think you don't fit anymore.
"I hate when people think that older = smarter.
Why do you need to link javascript with "kids"."
False. Older = More experience, so they don't do stupid stuff like this.
Because no-one older than 30 is using javascript (with 2 year experience, on average), it's literally for youngsters. From my point of view these people are kids.
So one day you have the source code, and the next day you DON'T have the source code?!?!? Why oh why?!?!? Is this some kind of Web Developer thing? Didn't anyone think letting others control what goes into your project might be a BAD idea? I'm at a loss here.
Hopefully a lesson or two was learned this week!
First off.. whats with all the "z n ch" etc variables? its 2017 for crying out loud, IDE's have been taking care of us for years.. there is zeros (pun intended) reason to shorten variables like that.
function padLeft(originalValue: string, width: number, character: string) {
character = character || '0';
return originalValue.length >= width ? originalValue : new Array(width - originalValue.length + 1).join(character ) + originalValue;
}
Great article which I am stumbling across nearly 3 years later. It's interesting to note that Kik never did publish a package under the name that started the whole fiasco. What ever happened to the "open source project" they were working on?
In fact, npm says this about the kik package: "This package name is not currently in use, but was formerly occupied by a popular package. To avoid malicious use, npm is hanging on to the package name, but loosely, and we'll probably give it to you if you want it."
It'd be interesting to see an editorial follow up as to what happened to the parties involved.