|
|
|
|
|
|
by bsimpson
3746 days ago
|
|
|
Kik (the company) wanted to publish an npm module using their trademarked company name[1]. As has long been npm's policy, they asked the trademark holder and the author to work it out amicably. Azer handled the situation about as gracefully as you'd expect from someone who published a module without checking if the name was clear and rage-quit when that decision bit him, bitching about "corporations" and stranding the countless developers who (eventually) depended on one of his modules. npm and Kik did most-everything right. The problem was in unpublishing already published tags. Once a tag is published, it shouldn't be able to be unpublished except in the most extenuating circumstances (perhaps a brand-new tag that inadvertently included PII). After a name changes hands, the new owner shouldn't be able to publish a new build in any of the major versions the previous owner tagged. Moreover, wholesale unpublishing modules shouldn't be allowed for the exact reasons this incident demonstrated. Based on npm's response, it sounds like they've learned that. [1]: https://medium.com/@mproberts/a-discussion-about-the-breakin... |
|
|
Any talk about trademarks is irrelevant (and npm even claims in this article that it had nothing to do with their decision).
Additionally, the `kik` package now has this description:
'This package name is not currently in use, but was formerly occupied by a popular package. To avoid malicious use, npm is hanging on to the package name, but loosely, and we\'ll probably give it to you if you want it.'
So...why did this happen again?