Unlike traditional labor, where being a good actor is financially rewarding, with open-source labor, there is more monetary incentive in selling packages… and with the current state of open-source remuneration, there seems more incentive by bad actors than good actors to express monetary value for packages
How should this be addressed? Shall npm just disable access and ban any user who sells a package (regardless of good or bad actor)? Will there be a defensive fund by the foundation to outbid bad actors in auctions?
Is there any evidence that this has happened before, even once? I’d love to read more about it if it has.
Not in a hostile way, both Node.js and Express were bought. The only solution to this problem is to move projects into a Foundation.
hmm, that’s not how i remember things, but I’m sure I’m lacking info - could you elaborate?
Node.js was acquired by Joyent. Express was acquired by StrongLoop. None were hostile acquisitions, they just were (there is plenty of online discussions on this). Selling OSS is indeed an exit strategy for a maintainer, and the solution to that is to move important projects into a Foundation.
Gotcha. In those cases i agree that a foundation was a good idea; I’m not convinced it would be necessary in every case, nor that it’s a large enough problem to warrant being in scope for this group.
It’s the change in ownership being “hidden“ to most users that is potentially an issue in those cases. I think surfacing the change in ownership was discussed a bit in #4.
As a package maintainer, it's on me to vet my direct dependencies to protect my downstream users.
It's difficult to keep up with multiple dependencies and their ownership/control. There's a time investment required, and then there's the liability of assuming a dependency maintainer is trustworthy, but they turn out not to be.
A few dependency update tools have begun to look into this particular issue:
I think this is likely out of scope for the group at this time? I think there could be a fascinating article written about this topic.
I've labeled this stale?, and inviting the group to revisit.
_I think there could be a fascinating article written about this topic._
âž• 1
Most helpful comment
Node.js was acquired by Joyent. Express was acquired by StrongLoop. None were hostile acquisitions, they just were (there is plenty of online discussions on this). Selling OSS is indeed an exit strategy for a maintainer, and the solution to that is to move important projects into a Foundation.