[Dylan16807]

I don't think the dispute resolution process makes them untrustworthy. It's an annoyance. It's the unpublishing that's a huge security flaw vector, and the fact that they didn't actually fix what they claimed is pretty bad.

[tedivm]

To me it's a trust issue. Their dispute policy breaks trust in two ways-

1. As a developer I can not know with certainty that a package I publish will remain published under its current name.

2. As a consumer of packages I can not trust that a library I am using won't get changed to a different piece of code due to someone else thinking they deserve the name better.

What you say is also a problem. The fact that they claimed to have solved the unpublishing problem when they apparently hadn't is pretty huge, as is the fact that the flaw exists to begin with. Unfortunately NPM is just not a trustworthy company.

[djsumdog]

I agree as well. The guy published his kik package well before Kik was even a company. There was no reason for the npm team to resolve the situation they way they did. If someone already owns your Twitter ID or Facebook page name, well they're closed private services. Same if someone buy's your domain name (see the case of Nissan).

You don't have a right to a name on every service on the planet just because you trademark it somehow.

[allover]

> 1. As a developer I can not know with certainty that a package I publish will remain published under its current name.

You can as long as your package name isn't trademarked or likely to confuse users installing the package.

> 2. As a consumer of packages I can not trust that a library I am using won't get changed to a different piece of code due to someone else thinking they deserve the name better.

I'm actually fairly sure npm won't blindly hand over a package that is depended upon, to another entity. When they handed over 'kik' it wasn't in the same league as 'left-pad' which was widely depended upon.

> What you say is also a problem. The fact that they claimed to have solved the unpublishing problem when they apparently hadn't is pretty huge

I agree it sucks, but the fact is they 'prevented unpublishing' to bug-fix one vector for this problem, but then introduced a bug in process that appears very similar to unpublishing. If you've never had this sort of thing happen to you as a software dev, (had some stakeholder question 'but I thought you'd fixed X') you're very very lucky.

> as is the fact that the flaw exists to begin with.

Easy to criticise in hindsight. At the time of left-pad, several other package registries (e.g. PyPI) also allowed unpublishing.

[dozzie]

>> 1. As a developer I can not know with certainty that a package I publish will remain published under its current name.

> You can as long as your package name isn't trademarked or likely to confuse users installing the package.

Trademarked where exactly? You know, there's quite a lot of world beside US.

> I'm actually fairly sure npm won't blindly hand over a package that is depended upon, to another entity.

What makes you trust them in this matter? They haven't displayed such behaviour, and their behaviour up until now slightly suggests the opposite.

[bigiain]

>>> 1. As a developer I can not know with certainty that a package I publish will remain published under its current name.

>> You can as long as your package name isn't trademarked or likely to confuse users installing the package.

> Trademarked where exactly? You know, there's quite a lot of world beside US.

And, if I recall correctly, trademarked when? Wasn't leftpad.js's author using the name kik well before the company Kik existed? So you don't just need a name that's not trademarked _now_, you need to pick one that no-one else trademarks sometime in the future (in whatever jurisdictions the npm people care about)...

[allover]

> and their behaviour up until now slightly suggests the opposite.

Please elaborate. Afaik 'kik' wasn't significantly depended upon, and people using the old kik could still install it [1] (had the leftpad author not unpublished it), and that is the only example I'm aware of of npm handing over a package name.

[1] http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm

[mcny]

I cannot believe anyone will defend npm over it.

There is no scenario where it is OK to hand over a namespace to someone else. At worst, it is acceptable to make a namespace unavailable to anyone.

I think npm is completely unable to exist as an organization and should disband immediately.

[Kliment]

Trouble is, if they do that, someone else will quickly replace them, take over the same function, and users will likely not notice that they are now trusting a different unverifiable entity to ensure package integrity

[macintux]

How many times does it have to happen to warrant concern?

Trust, once broken, isn't quickly restored.

[chickenfries]

Hypothetically, even if it's just the author of kik (I don't know if it is), isn't that still unfair to them? They might have used it on client projects. Why would I want to use your registry if you're going to break all of my software because a corporation wants a my package name?

[bigiain]

Pretty sure "allover" isn't "significantly depended upon" - how would you feel if YC gave that account here to me just because I went and paid for a trademark on it?

[allover]

I have no investment in this username, so I wouldn't care.

And "significantly depended upon" doesn't make sense in your example, but is relevant in terms of a package in a registry.

[kevin_thibedeau]

Trademarks only apply within a common industry. Kik the company isn't in the business of creating NPM packages. It's perfectly legal to use the same name for something unrelated to messaging even after the founding date of the commercial entity.

[allover]

I'm not arguing what's legal. If your package name is a trademark, thinking you're entitled to hang on to it is naive. This is well understand with domains, so why do you think a package registry should be different?