Breaking of two NPM libraries show that everything isn't right in FOSS ecosystem
Prahlad Yeri
Posted on January 10, 2022
As if COVID-19 and political events weren't enough to raise havoc in the life of already disturbed netizens, the netizens had to face one more setback today as some little known developer named Marak suddenly decided to pull the plug on two npm libraries he happened to control namely, colors
and faker
, causing multiple node builds to fail across the world, and the Gods of the heavens screaming their wrath on the poor plebeians!
Good Lord, where do I even begin with this! It's often said that a thing or machine is only as strong as the weakest link in its chain, and this is so true of the npm ecosystem. It's very essential for the safety and security of a product (a large and thriving ecosystem like node nonetheless!) that it should have as few dependencies as possible. But node developers seem to live in a totally different world. There are many large and highly used libraries in npm world such as webpack which have astronomical number of dependencies. This is so wrong but still continues to happen.
What happened with colors
and faker
can happen to any infrastructure project tomorrow. Imagine if this happened to a large project like webpack? Your project depends on webpack, but it has got other dependencies that depend on other dependencies that depend on other dependencies and so on ad-infinitum! This is how it works in the npm astronomical universe, and this needs to change.
The npm needs to learn and take a leaf out of other packaging systems like Python's PIP, PHP's composer/packagist and Ruby gems. It's not that these other packaging systems are perfect or don't err at all, but none of them have any popular infrastructure software that depends on trivial dependencies. In npm, you have trivial bits of code like plus.js or minus.js converted into proper packages and pushed across as dependencies. This needs to stop if npm/node ecosystem wants to be a serious contender in the backend development world.
Needless to say, the attitude and behavior of this particular dev, Marakh, is also very problematic here. And to be fair to npm, this kind of thing can happen to any open source software project (as it also happened with log4j recently and with npm itself earlier in 2016). Now, what can one do if a software author suddenly decides to pull the plug on their package and break the entire dependency chain? It's important to understand the mindset and psyche of such a developer here, which brings us to the age old mysterious question of why would someone like to contribute to FOSS in the first place!
In the linked reddit forum, the said developer Marak is quoted to have earlier warned thus in November, 2020:
In November 2020, Marak had warned that he will no longer be supporting the big corporations with his "free work" and that commercial entities should consider either forking the projects or compensating the dev with a yearly "six figure" salary.
Now, why should open source developers have any problem with "big corporations" using their software for free? After all, the very purpose of FOSS is to create software which is free from all clutches or proprietaries, and being gratis is an important side-effect of it all. If you don't want your software to be used by someone, why contribute to FOSS at all? A developer with this mindset should obviously go full proprietary and start licensing their software, because that is what businesses do (including the so called "big corporations"!).
Even Richard Stallman (on whom rests the GPL and philosophical foundations of FOSS) never had any problem with corporations using free software (as long as they fulfilled its licensing terms).
Unfortunately, though, the problem of putting food on the developer's table is a genuine one. But I disagree that devs are justified in pulling stunts like this Marak in order to put food on their table. In fact, better is that proprietary or closed-source dev who sells or licenses their software for money than someone who enters FOSS with such an ulterior motive and tries to sabotage it for a few bucks. At least, the former is clear with their intentions and straightforward in their actions.
In the good old days of 90s, devs were clear about their vision and narrative in regards to the software they built. There was a Bill Gates who went full proprietary and built a corporate software empire. There was a Richard Stallman who embraced the philosophy of commons and started a great movement. There was also an ESR (Eric Raymond) who tried to balance both worlds and favored a more liberal version of open source by pushing for BSD/MIT/Apache style licensing. But at the end, they were all clear about their vision and what they had to do, and to some extent they were all successful in doing so.
Developers like Marak don't have that vision, they are confused about what open source is all about, and their role in it. I think devs should reflect and introspect on this, and try to come up with a model that is conducive to both themselves and the society at large. It's not necessary to adopt Stallman's GPL or ESR's vision, they can come up with their own too. Or they can even do a full Bill Gates and create a Microsoft or similar corporation. But what's not so ethical is trying to be a Bill Gates in Stallman's clothing (or a Wolf in Sheep's clothing!). Neither the Wolf's nor the Sheep's supporters are ever going to like that!
Posted on January 10, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
January 10, 2022