[ohazi]

> Anecdotally, devs I know are very sensitive to ads/privacy, much more so than to paying money.

They also tend to be sensitive about arbitrary code execution, especially when running in a build system, which may be near things like deployment keys.

The only thing keeping npm from turning into a minefield are norms around what is socially acceptable, so developers tend to get super angry when this norm is challenged.

[feross]

> They also tend to be sensitive about arbitrary code execution

Presumably, if you're already downloading and executing code that I wrote, you trust me to use `console.log` correctly?

[ohazi]

It's not you, it's the norms that you were challenging. Developers don't want other people to realize that the only thing stopping them from running "extra" stuff like this on someone else's build machine is convention.

After the leftpad fiasco and the recent purescript installer "malware," people have gotten really sensitive about this sort of thing. Everybody knows that npm is a house of cards, but it's easier to hide the problem than to fix it.

[feross]

If the only thing this whole saga accomplishes is that npm post-install scripts are replaced with proper pre-built binary support, then I'll say this was all worth it. :)

[freeone3000]

The post-install scripts are installed from the same source as the actual library - the library itself could contain whatever malicious code an attacker wants. Pre-built binaries don't help here.

[Lazare]

Sure, but using it incorrectly - or even unusually - is going to be grounds to revoke that trust, obviously.

You must be aware that some non-zero number of developers have moved away from your code precisely because they no longer trust you, right? (Not saying that's right, just that it's a thing at least a few devs will have done.)

[AmericanChopper]

Personally, if you’re trying to inject advertising scripts into my critical infrastructure, then no, I absolutely don’t trust you. Like many others, I put a lot of effort into trying to sanely manage my dependencies, finding adware in there would be an enormous red flag.

You’re probably a good person, and you seem to be trying to do something good. But I know almost nothing about you, and even if I did, the fact that you think build pipelines are a good place for adware instantaneously eliminates any trust I might ever have in your judgement.

[baq]

so i guess you're mailing a check in return for services provided?

[yjftsjthsd-h]

False dichotomy; the world is not solely consist of adware and paid software.

[baq]

of course. i'm just pointing out that having a 'critical' infrastructure which components have been obtained for free and then complaining about those components asking for money in one way or another is rude; unless the OP already donates and didn't say so, in which case please accept my sincere apologies.

[AmericanChopper]

I contribute to various open source projects in various ways. But that’s really besides the point. I’m not against open source maintainers seeking funding, but in my opinion, this is just a remarkably terrible way of doing that, and undermines the credibility of the work they have done.

I also take issue with your implication that if somebody releases some work for free, that anybody who uses it now owes them something. I’ve released open source work before, and I’ve never even had the audacity to think that the people who use it are somehow indebted to me. Open source projects gaining a community following and then deciding ‘time to pay up’ and changing the license has happened in a few recent high-profile incidents, and it honestly makes reliance on open-source software a risk for anybody doing anything serious with it.

[pferde]

That's a deeply flawed line of thinking.

Those components were obtained at a price of 0 moneys, which at the time of "obtaining" was agreed upon by both sides. In this situation, yes, asking for money later is very rude, in my opinion.