[dozzie]

>> 1. As a developer I can not know with certainty that a package I publish will remain published under its current name.

> You can as long as your package name isn't trademarked or likely to confuse users installing the package.

Trademarked where exactly? You know, there's quite a lot of world beside US.

> I'm actually fairly sure npm won't blindly hand over a package that is depended upon, to another entity.

What makes you trust them in this matter? They haven't displayed such behaviour, and their behaviour up until now slightly suggests the opposite.

[bigiain]

>>> 1. As a developer I can not know with certainty that a package I publish will remain published under its current name.

>> You can as long as your package name isn't trademarked or likely to confuse users installing the package.

> Trademarked where exactly? You know, there's quite a lot of world beside US.

And, if I recall correctly, trademarked when? Wasn't leftpad.js's author using the name kik well before the company Kik existed? So you don't just need a name that's not trademarked _now_, you need to pick one that no-one else trademarks sometime in the future (in whatever jurisdictions the npm people care about)...

[allover]

> and their behaviour up until now slightly suggests the opposite.

Please elaborate. Afaik 'kik' wasn't significantly depended upon, and people using the old kik could still install it [1] (had the leftpad author not unpublished it), and that is the only example I'm aware of of npm handing over a package name.

[1] http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm

[mcny]

I cannot believe anyone will defend npm over it.

There is no scenario where it is OK to hand over a namespace to someone else. At worst, it is acceptable to make a namespace unavailable to anyone.

I think npm is completely unable to exist as an organization and should disband immediately.

[Kliment]

Trouble is, if they do that, someone else will quickly replace them, take over the same function, and users will likely not notice that they are now trusting a different unverifiable entity to ensure package integrity

[mcny]

Users will continue to trust what comes packages with node. Nothing needs to change from a user's perspective. They will still type npm ... But it will point to a new infrastructure (and more importantly led by nobody currently leading npm).

If node wants to do this, I think they totally can. There just needs to be the will to cut off and blacklist the current npm team.

[macintux]

How many times does it have to happen to warrant concern?

Trust, once broken, isn't quickly restored.

[chickenfries]

Hypothetically, even if it's just the author of kik (I don't know if it is), isn't that still unfair to them? They might have used it on client projects. Why would I want to use your registry if you're going to break all of my software because a corporation wants a my package name?

[bigiain]

Pretty sure "allover" isn't "significantly depended upon" - how would you feel if YC gave that account here to me just because I went and paid for a trademark on it?

[allover]

I have no investment in this username, so I wouldn't care.

And "significantly depended upon" doesn't make sense in your example, but is relevant in terms of a package in a registry.