Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Node Foundation as stewards of packages #4120

Closed
scriptjs opened this issue Dec 2, 2015 · 4 comments
Closed

Node Foundation as stewards of packages #4120

scriptjs opened this issue Dec 2, 2015 · 4 comments
Labels
npm Issues and PRs related to the npm client dependency or the npm registry.

Comments

@scriptjs
Copy link

scriptjs commented Dec 2, 2015

The current situation with the distribution of node packages is unacceptable. NPM has provided evidence that there is a need for packages to be maintained by a non-commercial entity that can be trusted.
#3959

The issues raised in #3959 have led to other issues that need to be audited and reviewed in the relationship of the Node Foundation with NPM.

Regardless of what was in the license the fact that we didn't notice it was there is disturbing. We need to do a full audit and potentially change the way we distribute our LICENSE text to better match what compliance automation prefers.

Developers and companies that rely on the body of open source software require unrestricted access to the open source packages that were offered for distribution.

NPM is in the process of imposing terms that can restrict or discontinue your use at any time and has already included language that would allow changes to terms developers accept at any time without notice.

The changing legal landscape for accessing modules is made clearer by reviewing NPMs activity on policy changes here:

https://github.com/npm/policies
Most of what appears to affect users was the open source terms https://github.com/npm/policies/blame/master/open-source-terms.md.

You accept changes to these Terms by continuing to use npm
Services. npm may change, suspend, or discontinue npm Services at any
time without notice or liability to you.

Today, developers have no legitimate choice where to publish modules since all mirrors also replicate data from NPM. This is due to the fact that NPM grew organically with node. That said, it does not mean this cannot change or work in a better way for the future for the growing community of developers.

A repository operated by the Node Foundation appears the logical choice for this. This would bring module distribution closer to that of other open source languages and initiatives and provide greater control over manifest standards at the same time.

As a first step I am proposing that the Node Foundation seek donations for a CDN to host and distribute packages. PyPI for example is driven by Rackspace that has donated its bandwidth and space. From this first step, developers can begin developing resolvers and tools to retrieve the semantically versioned assets from the CDN to eliminate the dependency on NPM.

The community can respond in turn with search services and sites that involve the broader ecosystem using the APIs of the CDN. This would create a healthier environment for open source and eliminate the risks inherent in being manipulated by a sole commercial entity.

@mscdex mscdex added the npm Issues and PRs related to the npm client dependency or the npm registry. label Dec 2, 2015
@jasnell
Copy link
Member

jasnell commented Dec 2, 2015

@scriptjs ... please keep in mind that at this point we already have several open issues discussing this general topic. I understand that the npm license changes are a concern to you, but there's a point at which opening multiple issues becomes counter productive.

The npm license changes are on the agenda for the CTC call today and I'm sure will also come up on Thursday's TSC call.

@scriptjs
Copy link
Author

scriptjs commented Dec 2, 2015

@jasnell I was advised that #3959 was too broad. The topic of #3959 was changed to deal with the license issue. This issue is not a license issue but asks the Node Foundation to seek donation for a CDN so that it it is possible to bring package distribution in alignment with other open source initiatives like PyPI.

This issue is prefaced with a reference to #3959 because the insertion of terms without the knowledge of collaborators or informing the broader developer community is a signal that changes are needed in the ecosystem free of the manipulation of a sole commercial entity.

@Fishrock123
Copy link
Contributor

This belongs on either https://github.com/nodejs/NG or https://github.com/nodejs/TSC. Could you please move it? We'd like to keep this issue tracker for core issues, preferably technical.

@scriptjs
Copy link
Author

scriptjs commented Dec 3, 2015

Sure, I can move this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
npm Issues and PRs related to the npm client dependency or the npm registry.
Projects
None yet
Development

No branches or pull requests

4 participants