[wakeywakeywakey]

Some suggestions that may see future attempts better received:

1. Try it on a repo with more substance. There were many comments about this project being a light wrapper around eslint config. It may be popular in GitHub stars, but intuition tells me the type of dev who installs a dependency to generate a JSON file is not the type to want to pay for anything; they're looking for a quick `npm install free-solution` for everything.

2. Don't focus on ads, specifically. Anecdotally, devs I know are very sensitive to ads/privacy, much more so than to paying money. Despite your good intentions, your ads will involve analytics/tracking, which you ultimately can't control.

3. Your various posts and web profiles eagerly mention how many downloads you have. The numbers are great. But, it comes across as your primary focus. Here's a test you can use to see if you are truly creating value: stop pushing code. When people start begging for updates, I suspect you will have more success with git bounties than ads.

[feross]

> devs I know are very sensitive to ads/privacy, much more so than to paying money

In case it's not clear to other readers: `funding` had no tracking, no data collection, and no code from untrusted third parties. It was a `console.log` with some fancy formatting.

> Despite your good intentions, your ads will involve analytics/tracking, which you ultimately can't control

They certainly would not. I was very clear to the sponsors that there would be no analytics. I even took pains to ensure only plain ASCII (excluding control characters) could be printed out. https://github.com/feross/funding/blob/58b090c51ce94de32107d...

[quantummkv]

> In case it's not clear to other readers: `funding` had no tracking, no data collection, and no code from untrusted third parties. It was a `console.log` with some fancy formatting.

The same was said about the early banner ads, early popup ads, early..... Well I think you get the point.

> They certainly would not. I was very clear to the sponsors that there would be no analytics.

The real danger is not that you are untrustworthy to uphold this on your packages. The real danger here is the normalisation of this behaviour. You might not add tracking. But once the big advertisers jump, they will want analytics. How much time would it take for a fork with tracking to appear? And thanks to the incentives and pressures, this will overtake and become the standard, as it happened across the web.

You might not do it, but there is no guarantee others will not. It's best to not keep the temptation there.

[wakeywakeywakey]

The Ad space has developed an elaborate set of acronyms and jargon (CPC, CPM, ..) precisely because advertisers care to track such things to determine how effectively they are budgeting.

You start with no tracking, then two months later we get another blog post explaining how you still haven't recouped your time investment and now need to do "just a tiny bit of anonymous reporting". This power creep is what turns people off.

[JMTQp8lwXL]

> In case it's not clear to other readers: `funding` had no tracking, no data collection, and no code from untrusted third parties. It was a `console.log` with some fancy formatting.

It starts as that, but is the community right to question where it might ends? Today is plain ASCII -- tomorrow is HTTP requests to ad companies in postinstall. Even if wasn't in 'funding', it could happen somewhere else. Somebody (not you) quietly adds a new NPM dependency to a popular project, and in that new module, the advertiser now has analytics on that package's usage, in addition to the console real estate space.

[ohazi]

> Anecdotally, devs I know are very sensitive to ads/privacy, much more so than to paying money.

They also tend to be sensitive about arbitrary code execution, especially when running in a build system, which may be near things like deployment keys.

The only thing keeping npm from turning into a minefield are norms around what is socially acceptable, so developers tend to get super angry when this norm is challenged.

[feross]

> They also tend to be sensitive about arbitrary code execution

Presumably, if you're already downloading and executing code that I wrote, you trust me to use `console.log` correctly?

[ohazi]

It's not you, it's the norms that you were challenging. Developers don't want other people to realize that the only thing stopping them from running "extra" stuff like this on someone else's build machine is convention.

After the leftpad fiasco and the recent purescript installer "malware," people have gotten really sensitive about this sort of thing. Everybody knows that npm is a house of cards, but it's easier to hide the problem than to fix it.

[feross]

If the only thing this whole saga accomplishes is that npm post-install scripts are replaced with proper pre-built binary support, then I'll say this was all worth it. :)

[freeone3000]

The post-install scripts are installed from the same source as the actual library - the library itself could contain whatever malicious code an attacker wants. Pre-built binaries don't help here.

[Lazare]

Sure, but using it incorrectly - or even unusually - is going to be grounds to revoke that trust, obviously.

You must be aware that some non-zero number of developers have moved away from your code precisely because they no longer trust you, right? (Not saying that's right, just that it's a thing at least a few devs will have done.)

[AmericanChopper]

Personally, if you’re trying to inject advertising scripts into my critical infrastructure, then no, I absolutely don’t trust you. Like many others, I put a lot of effort into trying to sanely manage my dependencies, finding adware in there would be an enormous red flag.

You’re probably a good person, and you seem to be trying to do something good. But I know almost nothing about you, and even if I did, the fact that you think build pipelines are a good place for adware instantaneously eliminates any trust I might ever have in your judgement.

[baq]

so i guess you're mailing a check in return for services provided?

[yjftsjthsd-h]

False dichotomy; the world is not solely consist of adware and paid software.

[baq]

of course. i'm just pointing out that having a 'critical' infrastructure which components have been obtained for free and then complaining about those components asking for money in one way or another is rude; unless the OP already donates and didn't say so, in which case please accept my sincere apologies.

[k3nt0456]

>Anecdotally, devs I know are very sensitive to ads/privacy, much more so than to paying money.

Thank you for qualifying this as devs you know. In reality, this is a very privileged position to take and I'd bet would be a minority if polled globally (between paying in cash or in ads)