Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm CTO announces ban on terminal ads #635

Closed
caspermaven opened this issue Aug 30, 2019 · 50 comments
Closed

npm CTO announces ban on terminal ads #635

caspermaven opened this issue Aug 30, 2019 · 50 comments

Comments

@caspermaven
Copy link

caspermaven commented Aug 30, 2019

Check this out: npm bans terminal ads. Announced several hours ago.

In response to community backlash against another NPM module attempting to run ads during install/postinstall, NPM is banning ads in the terminal for all users.

"We are always working on improving our policies and expand on our commitments to the community," Ahmad Nassri, npm, Inc. CTO told ZDNet in an email this week.

"To that end, we're making updates to our policies to be more explicit about the type of commercial content we do deem not acceptable."

According to these upcoming updates, npm will ban:

  • Packages that display ads at runtime, on installation, or at other stages of the software development lifecycle, such as via npm scripts.
  • Packages with code that can be used to display ads are fine. Packages that themselves display ads are not.
  • Packages that themselves function primarily as ads, with only placeholder or negligible code, data, and other technical content.

Update: Looks like the core-js project made the news! It was explicitly linked in the article, towards the bottom.

Update 2: You made it to reddit! Take a look.

@zloirock
Copy link
Owner

If NPM will ban the postinstall message, it will be moved to browsers console. If NPM will ban core-js - it will cause problems for millions of users. I warned about it.

@jgreco
Copy link

jgreco commented Aug 30, 2019

Fuckin rekt. Good on NPM.

@TrejGun
Copy link

TrejGun commented Aug 30, 2019

You gonna have lots of troubles looking for a new job because all companies are afraid of you. At least you are not manageble (bully), at most you can put message about them into postinstall.

However I think you have a right to earn money on you skill, lets say 3.4kk of installations multiply by one dollar. Man, you should be rich by now!

It was your choice to contribute to open source, and it is your choice to keep this message where it is, and it is your choice to pee against the wind :) Nobody asked you to do so, as well as so nobody can force you to remove it, so stay put and pray for good

@jamesbhobbs
Copy link

If NPM will ban the postinstall message, it will be moved to browsers console. If NPM will ban core-js - it will cause problems for millions of users. I warned about it.

I'd like to be clear that I don't wish to weigh in on who is right/wrong. And to make clear that I'm grateful to you @zloirock for this repo just as I am thankful to npm for providing their service (sort of) for free.

  1. I'm curious how would add this to the console, would you mind explaining or maybe even opening/pointing me at a similar PR @zloirock?
  2. re if they ban it. Obviously everyone hopes that won't happen, but if they do a fork would be easy to create and distribute and they'd not be likely to remove the existing packages - for knowledge of the chaos that would ensue - so isn't this really a non-issue? It essentially has to be either resolved amicably or one party or both would need to take unilateral action i.e. you distributing elsewhere or NPM finding a suitable fork to distribute (and perhaps proxy to) to prevent chaos? Or am I missing some terms and conditions that would prevent this from being true?

@ErikHumphrey
Copy link

ErikHumphrey commented Aug 30, 2019

If NPM will ban the postinstall message, it will be moved to browsers console.

When would that display?

If NPM will ban core-js - it will cause problems for millions of users. I warned about it.

Won't everyone-but-you just maintain a fork?

@lostpebble
Copy link

Illusions of grandeur. We'll be just fine without you. I hope that's not the case and you'll continue to be a part of this community, but you need to seriously take a step back and think about why you contributed to OSS in the first place. I can't think spamming the console of the millions of devs who indirectly import your project is what you envisioned. Is this really the hill you want to die on?

There's no doubt this project has made you more employable, but the irony is that your stubbornness on this issue is probably working in the complete opposite direction you would like.

Please reconsider.

@zerkms
Copy link

zerkms commented Aug 30, 2019

Btw, they in their post addressed packages that render ads in console as well:

Packages that display ads at runtime

@philly-vanilly
Copy link

You should realise, the value in contributing to open source is mainly the reputation. And reputation has both a quantity as well as a quality aspect to it. Bad rep is worse than none at all (unless you are Uwe Boll). By acting in a threatening way like here you just ruined a big part of the good reputation you earned with your contributions. You seem like a hard-working guy, so I hope you will come to your senses.

@ajcrites
Copy link

Does anyone have any information on what “banning” packages with ads means? Does that mean that all versions of core-js will be removed from the registry? If not, then what does it mean? That seems like a bad idea considering the number of dependencies on core-js.

@ErikHumphrey
Copy link

Does anyone have any information on what “banning” packages with ads means? Does that mean that all versions of core-js will be removed from the registry? If not, then what does it mean? That seems like a bad idea considering the number of dependencies on core-js.

They'll probably replace the main maintainer/collaborator with someone else, and change the repository to a fork.

@isaacs
Copy link

isaacs commented Aug 31, 2019

There's a big difference between a message saying "support the development of this thing" and "buy this other unrelated product".

I don't believe that core-js is in violation of npm's recently clarified policy, and we were careful to make sure that the wording was precise and deliberate in capturing this subtlety. The ZDnet article was not nearly as careful, and the commentary on twitter and HN are even less careful than that.

We also spoke directly with Feross prior to updating the policy, and learned that he was planning to cancel the experiment anyway. He wrote a very thoughtful and deliberate explainer on his blog.

We're already working on a better way to drive funding to projects so that ads (of any sort) are less necessary as a way to create visibility and get support for open source projects. https://blog.npmjs.org/post/187382017885/supporting-open-source-maintainers

Let's take the flames and speculation down a notch. If you want to know what we'll "probably" do, I'm right here.

@zloirock
Copy link
Owner

@isaacs thanks for the clarification.

@dpikt
Copy link

dpikt commented Aug 31, 2019

Looks like https://github.com/kethinov/no-cli-ads is back on the menu boys.

On the bright side, we now know that this library’s maintainer is willing to risk breaking three million dependents for a job posting. Well done!

@jpike88
Copy link

jpike88 commented Sep 1, 2019

A friendly reminder to all that an alternative exists: core-js-without-ads. For those who don't want the hubris of package maintainers treating server consoles like their personal megaphone, and just want a clean console the way it was intended, this is for you.

@joshmanders
Copy link

joshmanders commented Sep 1, 2019

@isaacs This would be an perfect time for both npm and yarn to implement something that allows packages to add a key to their package.json that is aggregated by the cli tool (can be disabled by those who don't want it) to output any information at the end of an install at one shot.

@ghost
Copy link

ghost commented Sep 27, 2019

If you want to know what we'll "probably" do, I'm right here.

@isaacs You said you were here so I'm taking you up on this offer. What will probably be done? Because as it stands something needs to be done and it seems what has been done isn't enough.

DeepinScreenshot_dde-desktop_20190927134231

@georgyfarniev
Copy link

@isaacs @JHabdas, I was very frustrated when I saw similar message during npm install inside my monorepo.
@zloirock Despite it may not violate current NPM policy, it creates very frustrating precedent. First it looks like innocent, but then getting worse and worse and other people may start using it for advertising third-party products and services and then say something like @zloirock said above:

If NPM will ban core-js - it will cause problems for millions of users

Don't misunderstand me, I'm grateful for your efforts to create this project for free, but we should think about possible consequences. There's no many places left clean from ads, and I definitely don't want to see it in console.

@georgyfarniev
Copy link

@JHabdas @isaacs Let's image hypothetical situation when things are getting worse.

What can prevent npm from deleting this package and just make alias to it's fork with ads removed?

@isaacs
Copy link

isaacs commented Sep 27, 2019

What can prevent npm from deleting this package and just make alias to it's fork with ads removed?

Well, that'd be kind of a dumb move on our part, as it would certainly incite controversy and erode community trust. So we aren't gonna do that.

It'd make more sense to provide some blessed way for modules like core-js to advertise their need for funding support, and then introduce a change in a future npm cli version to hide stdout of install scripts unless they exit in error.

There was already a plan to do this, just because node-gyp tends to be noisy (and especially, an optional dep that fails to build looks really bad with lots of errors and red warnings, but then isn't relevant in most cases).

We pumped the brakes on implementing muted install scripts because we didn't want to be seen as taking a side against community modules like core-js. Once the controversy erupted, it seemed prudent to be very careful about what moves we make in this area, because it's not just about noisy compilers, and in general, I don't like hurting people when I can help it. But there does seem to be a clear indication that advertising for one's own support is received very differently than an advertisement for a third party, so for now, we've drawn a line there.

But it is a tragedy of the commons. If everyone does it, it'll be bad for everyone, and won't be effective for anyone anyway. So, we're working on figuring out a path forward to meet our community's needs in the best way possible.

@georgyfarniev
Copy link

@isaacs of course that was example for worst case scenario, as @zloirock said that in this case ads will be moved to browser console in case if npm will suppress install hook output. But in general I like idea of this feature for cases such as node-gyp that was mentioned above. As another option, npm can allow to do alias for package names on local machine. Let’s say, I don’t want to see any adds anywhere, then I can map core-js to core-js-noads in my .npmrc and it will just transparently substitute it on my machine for all projects. Shouldn’t break more things that aliasing package in npm and shouldn’t harm any feelings.

@ghost
Copy link

ghost commented Sep 27, 2019

But there does seem to be a clear indication that advertising for one's own support is received very differently [....]

It would appear to me the same rules should apply to non-company consortiums and related entities. And if that's the case there have been several contributors to core-js over the years. Who's to say they themselves are benefiting from the current fee?

What's needed here is a hardline stance against advertising of any kind. And if we can live without Left Pad we can live without CoreJS in its current form. Let's put politics aside and end the controversy. In this case the squeaky wheel should not get the grease.

@lostpebble
Copy link

@isaacs I agree, you need to provide another way for this to be handled. There are definitely ways to appease this crowd. But your soft approach to what is currently happening is a bit ridiculous to me (granted, I can understand why you're trying to walk on eggshells here because of how loud certain parts of this community can be). But still, this should not be okay as it currently stands, in @JHabdas 's post its clear to see just a tip of what could happen here - and that's just one module.

Just because only a handful module owners have had the gall to implement something like this, where others have refrained (I would like to think mostly because doing such a thing would never enter the mind of a reasonable person who values the platform that this massive community has already given them, or just finds it downright cheap and tacky), you have decided to let it slide. But really you should be able to take these instances while also looking at the possible end result here- that other's who have just as little sensitivity might copy them and create an even bigger mess.

I mean you even acknowledge it here:

But it is a tragedy of the commons. If everyone does it, it'll be bad for everyone, and won't be effective for anyone anyway. So, we're working on figuring out a path forward to meet our community's needs in the best way possible.

So why do these module owners get a pass? Because they were the first? Because a vocal minority sees them as "brave" and will get angry if you stand up against that narrative? Because you somehow feel obligated to let them continue with their antics until you find a better solution? To not just snuff this whole thing out from the start isn't a good precedent to set. Funding for OS projects is important, but there are definitely better ways to go about it.

@jpike88
Copy link

jpike88 commented Sep 27, 2019

@isaacs I think the decision you've made is prudent for the time being, but while you want to ensure you are taking your time in ensuring you don't make moves that may erode community trust in npm, you also don't want npm to become known as that package manager which has things like this occurring through it to begin with, as that also has a negative impact on how npm is perceived not just by the JS community, but the wider programming community as a whole.

That arguably may cause more long term damage than trying to walk a tightrope between doing the right thing, and annoying the vocal minority who will forget about it after they have their tantrum.

I hope a decision either way can be made sooner rather than later, as this sort of precedent needs a clear direction on how it's going to be handled.

@gterras
Copy link

gterras commented Sep 29, 2019

@isaacs thanks for understanding what with great power comes great responsibility means.

I'm all for creating dedicated spaces for promotion that will actually lead to something. The fact that the author of core-js hasn't found a job yet after 6 months of aggressive advertising is highly indicative of the efficiency of the current technique.

The precedent that all of this sets is worrying, I hope you will find a way to handle this elegantly but firmly.

@isaacs
Copy link

isaacs commented Sep 29, 2019

@lostpebble I understand your point, but it's important to keep in mind that I can't just dismiss a vocal minority for being a minority. It's tempting to imagine that the "silent majority" on any topic is on your side, but that's oversimplifying the situation. Having reached out to and discussed this with people who spend their time thinking about this professionally, as well as a broad cross-section of people in different sectors of our community, the only conclusion I've come to is "it depends".

Everyone's position is nuanced, and there isn't a lot you can say that applies to more than a "vocal minority", and everyone thinks their point of view is obviously true. In fact, the "npm should have no ads ever for any reason" group is a vocal minority whose views you are very eloquently articulating.

So why do these module owners get a pass? Because they were the first?

Because it's not that bad yet, and yes, they were first. They don't get "a pass". What they do get is that the policy isn't going to abruptly slam shut in their face without a conversation and an alternative that meets their valid needs, at least until and unless it does become a more serious problem.

Because a vocal minority sees them as "brave" and will get angry if you stand up against that narrative?

20 years in open source, 10 of it in npm, buddy I barely even notice any more who's angry at me and who isn't. We're gonna try to figure out the right thing to do, and then do it, and if people get mad or people get happy, that's a relevant data point of course, but it's not the sole deciding factor.

@cyberhck

This comment has been minimized.

@cmbkla
Copy link

cmbkla commented Oct 29, 2019

I, personally, do not like this spam in my console, and especially not in the browser console. It's annoying. I hope a more viable alternative is determined. I wouldn't mind seeing it in my console while I'm developing, I guess, but in my CI deployment logs or production environments? It's a big no.

But the attitude in this comment is highly alarming. I interpret this as a threat to sabotage the package? #548 (comment) -- not only does this have me looking for alternatives, I doubt it's a good look for a future employer. Devs occupy a position of trust, by threatening to burn it all to the ground.... yikes!

@ghost
Copy link

ghost commented Oct 31, 2019

Precedence set. And this puppy's really taking off:
https://www.npmjs.com/package/opencollective-postinstall

Screen Shot 2019-10-31 at 16 44 12

My gut says @isaacs et al. are dragging their feet as they're looking for an Apple Store like revenue stream. What cold be better than being the gatekeeper deciding how can advertise on your product?

@isaacs
Copy link

isaacs commented Oct 31, 2019

My gut says @isaacs et al. are dragging their feet as they're looking for an Apple Store like revenue stream.

Your gut is wrong.

Ratified RFC: npm/rfcs#54
Implementation pull req: npm/cli#273

Stuff is happening, and a better option is being added, which is a small step up from "postinstall spam, everyone out for themselves" towards a future where we can explore more interesting funding models.

I don't see this as a big revenue op for npm, Inc., really. I could be wrong, and certainly some companies have made decent revenue by acting as a funding broker. (That's kind of the LF's whole deal, after all.) But I really think the benefit for us is more strategic than financial. If OSS JS is being funded, then people are going to treat it with more care and diligence, and more and better OSS JS will be created. That serves to make npm a better and stickier platform, so any monetization strategies we do pursue will be more effective.

An "apple store like revenue stream" would be hard to do with OSS code which can be downloaded and then used or re-distributed for free. I have gamed out what it might look like to try to do something like that, and without a massive shift in license choices and policies, it's hard to make the business case for it. I have other ideas for how to monetize npm, by focusing on our position as a value-delivery mechanism, but none of that works if the OSS ecosystem gets hollowed out or toxic. It's very much in npm's interest to keep the ecosystem healthy.

@ghost
Copy link

ghost commented Oct 31, 2019

Thanks for the info. Wasn't aware of the Oct RFC. Please add a Bitcoin funding option.

@isaacs
Copy link

isaacs commented Oct 31, 2019

Huh! A btc (or ethereum or litecoin or ...) address might be an interesting idea. Care to write up an RFC for it, or if that's too much trouble, post a RRFC issue on npm/rfcs? (RRFC = "request for request for comments")

@zerkms
Copy link

zerkms commented Oct 31, 2019

@isaacs given you've just requested for a request for request for comments, is your comment an RRRFC? 🤔

@isaacs
Copy link

isaacs commented Oct 31, 2019

@zerkms And it was in turn a response to @JHabdas's implicit RRRRFC, yes.

@ghost
Copy link

ghost commented Nov 1, 2019

I wouldn't bother much with altcoins unless you're looking at BCH. Just a single BTC address should be enough for individuals to display next to the modules we choose to host on NPM.

@jimmywarting
Copy link

jimmywarting commented Nov 3, 2019

I'm more leaning towards switching over to Deno, the hole npm package thing have become a pile of bloated stuff, ppl put all kind of garbage in there that isn't even related to npm or node itself in it. it should just be possible to import from url like you do in Deno and the web...

@rsp
Copy link

rsp commented Nov 4, 2019

@zerkms That's R3FC and R4FC, following the tradition of R7RS, the Revised Revised Revised Revised Revised Revised Revised Report on the Algorithmic Language Scheme. Or maybe (RF)3C and (RF)4C would be more appropriate here.

@joshmanders
Copy link

I'm more leaning towards switching over to Deno, the hole npm package thing have become a pile of bloated stuff, ppl put all kind of garbage in there that isn't even related to npm or node itself in it. it should just be possible to import from url like you do in Deno and the web...

You know you don't have to use the garbage that is published right? There's a lot of garbage in Walmart, but that doesn't stop you from going in and getting just what you need.

@ghost
Copy link

ghost commented Nov 6, 2019

For the life of me I can't see why people nowadays are being selfish, arrogant and greedy.
The developer is making high quality free software at no charge. All whilst having difficulties maintaining a proper life for himself. Now he's asking for donations to help develop this piece of free software and make it better. What gives you the right to bitch about this you zero empathy keyboard warriors?

Free software developers have zero obligation to their users unless they explicitly say so.
Free software developers are also people, who need money to have a proper life and continue improving that free software.

If there was a properly functional, unified donation system in npm, then a postinstall message would probably be too much. However since the npm developers seem to have this issue with entitlement, they simply whine about it and ban donation messages in postinstall. This is extremely arrogant, along with classifying donation requests as an "advertisement".

Retards.

@jimmywarting
Copy link

jimmywarting commented Nov 6, 2019

I don't got anything against funding a project but the way of doing it in a development process where you have to debug stuff in the terminal isn't the way to do it.

If you seek donations use github sponsor instead. or write about it in your readme file/website

ofc npm could do something generic/useful themself that helps parse '.github/FUNDING.yml' or something like that

@ghost
Copy link

ghost commented Nov 6, 2019

Looks like OC doesn't support Bitcoin and their terms says this (somewhere between Sections 1 and 25):

Our Platform allows you to use and store a payment method via the Platform that is acceptable to us ("Payment Method") to pay for any contributions or to receive any expense payments.

OC also takes a "Host Fee" of 5%. Gross. And these are the model NPM is using aside from GitHub, who actively scrapes out Bitcoin URIs from project READMEs.

All many of us keyboard warriors need is a clear place for a Bitcoin URI and a functioning hyperlink like the one you see at the bottom of the FSF donation page.

Leave these matters up to NPM and GitHub (a company that only allows development of nuclear weaponry with US approval) when all that was needed was a blessed Bitcoin URI in the package manifest and, well... I'd rather see a terminal full of noise as an incentive to move off NPM. How about you?

@georgyfarniev
Copy link

I don't got anything against funding a project but the way of doing it in a development process where you have to debug stuff in the terminal isn't the way to do it.

If you seek donations use github sponsor instead. or write about it in your readme file/website

ofc npm could do something generic/useful themself that helps parse '.github/FUNDING.yml' or something like that

Totally agree. Terminal is not a place for advertisement. Also, in the post above, @zloirock treatened to make a troubles for people, his words makes me feel like hostage. I think it's not acceptable for open source society.

@hinell
Copy link

hinell commented Nov 24, 2019

@georgyfarniev I think such behavior is termed as coercion.

Anyway I'm appalled by (especially as Russian developer) how @zloirock is treating some of people's legitimate requests to decrease amount of spam in their consoles. Even though such advertisement is justified to some extent it is terrible.

@zloirock Я думаю что стоит откликнуться на запросы убрать рекламу в CI сервисах. Пока что всё это не очень красит российских разработчиков.

@antialias
Copy link

replying here to @TomLingham's comment "I appreciate you digging those up, but there are actually a lot of packages that do it" because (along with about a dozen other "issues" on the same topic), the issue was marked as spam by the maintainer of core-js in order to suppress the discussion:

If you looked through those > 100 pages of "packages", you might have noticed that the search results consist entirely of projects that have their dependencies committed to the repository, and of those committed dependencies, only three packages are showing up as doing install spam (based on the query):

  • swiper
  • framework7
  • scrollreveal

tl;dr; install spam is not normal.

@ghost
Copy link

ghost commented Dec 2, 2019

We make money because of open source, not from it. BUT If you want to make money from your source code just add a QR code pointing at your BITCOIN address and use it to spam the terminal as much as you like because the floodgates are open and don't believe @isaacs "RRRRFC" Schlueter for one second -- just slap a BITCOIN QR code in there and pray someone donates. See the Expo codebase for an example QR code in the terminal:

Screen Shot 2019-12-02 at 19 19 44

@ashpr
Copy link

ashpr commented Dec 11, 2019

Why is this message even here? When you are explicitly turning town job offers?
#642 (comment)

6 months now. Take a hint. This is a very poor strategy.

@andrewzah
Copy link

Still present as of Feb 2020.

@ashpr
Copy link

ashpr commented Feb 14, 2020

Still present as of Feb 2020.

The author is currently in prison so this isn't going anywhere.

@jhpratt
Copy link

jhpratt commented Apr 17, 2020

@isaacs The author of core-js is currently in prison. Can we at least use some common sense and force a release that removed the following?

Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)

There's at least an argument to be made for funding requests, but job adverts are insane, especially when the person is incarcerated for the time being.

@isaacs
Copy link

isaacs commented Apr 18, 2020

@jhpratt I mean, this is just kind of highlighting the key issue, that a message attached to a given version of a package (which lives in perpetuity) is always going to be problematic. A link to a URL can be a thing that updates over time and changing circumstances. Even if someone isn't incarcerated, what if they got a job already? Or died? Or switched careers entirely? Or for any of a million other reasons aren't looking for a good job any more?

npm v7 will not display the output of scripts at install time unless they exit in error, and the package is not optional. In other words, you'll only see messages like this if they're informing you about something relevant.

I think a case could be made to remove the install script output in an npm v6 release, now that npm fund exists. However, it'd be a pretty major change, so I could also see some reasons to object to it. If you're (or anyone is) interested in pursuing that, open an rfc exploring the issue, and we can have that discussion.

What we probably won't do is forcibly push a version of core-js that removes the postinstall script. That feels to me like getting too far into the realm of taking over authors' ability to publish packages. Eventually @zloirock will not be incarcerated, presumably, and we have to think about the long term, and the precedents set by any administrative actions we take. If core-js was malicious or inappropriate, we'd take it down, but this doesn't rise to that level of problem, in my judgement.

@TrejGun
Copy link

TrejGun commented Apr 20, 2020

cruel fait indeed....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests