The fork? Node.js: Code showdown re-opens Open Source wounds

Left pad chaos highlighted madness behind scenes

48 Reg comments Got Tips?

Open Source Insider Open source software rarely receives the kind of attention that the press lavishes on the latest hot new thing blessed by Silicon Valley venture capitalists. Yet these projects are the foundations of the web world.

Without open source there would be no Slack, no Medium, no Github. Nor would there be Google, Facebook, or much of anything else.

Without open source projects like Apache, Nginx, OpenSSL, OpenSSH and others (to say nothing of GNU/Linux, which does get some attention), the latest hot new thing would likely not exist. More fundamentally, the web as we know it would not exist.

There is a kind of myth that has grown around this lack of attention. It's the myth of the lone developer creating powerful magic. It's a myth the open-source community likes to tell itself: that open source software is created by individuals working on labours of love in their spare time.

This isn't always a myth; indeed, it's often surprising how little support key projects get considering how many companies would cease to exist without them.

However, the myth ignores the fact that much of the money going into open source software is directly and indirectly (in the form of employing developers who contribute to open source projects) coming from corporations.

There's a tension in open source between individuals building projects out of love, frustration or other personal motivations and corporations devoting their time and money that help further the bottom line.

Occasionally the web gets a wake-up call about this tension that exists between individual developers and corporations building fortunes atop their code.

The kerfuffle at NPM, the default package manager for the very popular Node.js project, nicely illustrates exactly this tension. It's a somewhat convoluted story, but the short version is that NPM bowed to legal pressure and renamed developer Azer Koçulu's Kik package without asking him. This angered Koçulu so he deleted all of his code on NPM, one piece of which happened to be very widely used. After he deleted left-pad, all the code built on it broke.

There's a lesson here for everyone – consider your dependencies carefully – but there's also a wakeup call here for both to developers and corporations.

Developers like Koçulu got a little reminder that the NPM project is ultimately corporate-controlled. It will make decisions in its best interest, which may not be in every developer's best interest. It's a not so subtle reminder for Koala and other NPM developers that they serve at the pleasure of the king, in this case NPM Inc. For his part, Koçulu clearly got the message; he referred to deleting his code as "liberating" it. It's now hosted with Github. Another large corporation.

On the other side of the coin NPM learned that it's vulnerable to the whims of individual developers contributing (and un-contributing) code. Anyone who relies on NPM is similarly vulnerable. The NPM community quickly stepped forward and, because Koçulu code is open source, forks were quickly put up in NPM's repositories.

There's really nothing original about this story. It's part of the tension that seems inherent in software development at this stage. It's so common, in fact, that open-source software has a simple mechanism for handling this situation – the fork.

Don't like where a project is headed or who's in charge of it? Go make your own. It happens with small projects like Koçulu’s and big ones like the MariaDB fork of MySQL.

So while the short version of the NPM story has a happy ending – Koçulu’s code is now free of NPM and NPM has forks of it available for developers who depend on it – the longer story remains undecided. As software developer Dave Winer writes in reference to replacing NPM: "We need a framework, legal and social, for projects that are not 'owned' but are just there."

In fact there are quite a few frameworks out there, albeit none that's a perfect fit. But part of the reason that the code underlying the web continues to be developed in spite of no large corporate backing is because non-profit foundations such as the Apache Foundation, The Free Software Foundation, the Python Software Foundation and dozens of others sit behind the code, quietly raising money, keeping the lights on and the web humming.

The NPM community and the larger Node.js community might want to think about setting up something similar. Similarly, anyone hosting code on GitHub might want to think about what the transition away from GitHub will look like for their project.

As Winer notes about Github: "The VCs are going to want an exit… then what happens?"

What indeed. Most likely developers will get another reminder of the tension between open source developers and corporations. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020