-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm CTO announces ban on terminal ads #635
Comments
If NPM will ban the |
Fuckin rekt. Good on NPM. |
You gonna have lots of troubles looking for a new job because all companies are afraid of you. At least you are not manageble (bully), at most you can put message about them into postinstall. However I think you have a right to earn money on you skill, lets say 3.4kk of installations multiply by one dollar. Man, you should be rich by now! It was your choice to contribute to open source, and it is your choice to keep this message where it is, and it is your choice to pee against the wind :) Nobody asked you to do so, as well as so nobody can force you to remove it, so stay put and pray for good |
I'd like to be clear that I don't wish to weigh in on who is right/wrong. And to make clear that I'm grateful to you @zloirock for this repo just as I am thankful to npm for providing their service (sort of) for free.
|
When would that display?
Won't everyone-but-you just maintain a fork? |
Illusions of grandeur. We'll be just fine without you. I hope that's not the case and you'll continue to be a part of this community, but you need to seriously take a step back and think about why you contributed to OSS in the first place. I can't think spamming the console of the millions of devs who indirectly import your project is what you envisioned. Is this really the hill you want to die on? There's no doubt this project has made you more employable, but the irony is that your stubbornness on this issue is probably working in the complete opposite direction you would like. Please reconsider. |
Btw, they in their post addressed packages that render ads in console as well:
|
You should realise, the value in contributing to open source is mainly the reputation. And reputation has both a quantity as well as a quality aspect to it. Bad rep is worse than none at all (unless you are Uwe Boll). By acting in a threatening way like here you just ruined a big part of the good reputation you earned with your contributions. You seem like a hard-working guy, so I hope you will come to your senses. |
Does anyone have any information on what “banning” packages with ads means? Does that mean that all versions of core-js will be removed from the registry? If not, then what does it mean? That seems like a bad idea considering the number of dependencies on core-js. |
They'll probably replace the main maintainer/collaborator with someone else, and change the repository to a fork. |
There's a big difference between a message saying "support the development of this thing" and "buy this other unrelated product". I don't believe that core-js is in violation of npm's recently clarified policy, and we were careful to make sure that the wording was precise and deliberate in capturing this subtlety. The ZDnet article was not nearly as careful, and the commentary on twitter and HN are even less careful than that. We also spoke directly with Feross prior to updating the policy, and learned that he was planning to cancel the experiment anyway. He wrote a very thoughtful and deliberate explainer on his blog. We're already working on a better way to drive funding to projects so that ads (of any sort) are less necessary as a way to create visibility and get support for open source projects. https://blog.npmjs.org/post/187382017885/supporting-open-source-maintainers Let's take the flames and speculation down a notch. If you want to know what we'll "probably" do, I'm right here. |
@isaacs thanks for the clarification. |
Looks like https://github.com/kethinov/no-cli-ads is back on the menu boys. On the bright side, we now know that this library’s maintainer is willing to risk breaking three million dependents for a job posting. Well done! |
A friendly reminder to all that an alternative exists: core-js-without-ads. For those who don't want the hubris of package maintainers treating server consoles like their personal megaphone, and just want a clean console the way it was intended, this is for you. |
@isaacs This would be an perfect time for both npm and yarn to implement something that allows packages to add a key to their package.json that is aggregated by the cli tool (can be disabled by those who don't want it) to output any information at the end of an install at one shot. |
@isaacs You said you were here so I'm taking you up on this offer. What will probably be done? Because as it stands something needs to be done and it seems what has been done isn't enough. |
@isaacs @JHabdas, I was very frustrated when I saw similar message during npm install inside my monorepo.
Don't misunderstand me, I'm grateful for your efforts to create this project for free, but we should think about possible consequences. There's no many places left clean from ads, and I definitely don't want to see it in console. |
Well, that'd be kind of a dumb move on our part, as it would certainly incite controversy and erode community trust. So we aren't gonna do that. It'd make more sense to provide some blessed way for modules like core-js to advertise their need for funding support, and then introduce a change in a future npm cli version to hide stdout of install scripts unless they exit in error. There was already a plan to do this, just because node-gyp tends to be noisy (and especially, an optional dep that fails to build looks really bad with lots of errors and red warnings, but then isn't relevant in most cases). We pumped the brakes on implementing muted install scripts because we didn't want to be seen as taking a side against community modules like core-js. Once the controversy erupted, it seemed prudent to be very careful about what moves we make in this area, because it's not just about noisy compilers, and in general, I don't like hurting people when I can help it. But there does seem to be a clear indication that advertising for one's own support is received very differently than an advertisement for a third party, so for now, we've drawn a line there. But it is a tragedy of the commons. If everyone does it, it'll be bad for everyone, and won't be effective for anyone anyway. So, we're working on figuring out a path forward to meet our community's needs in the best way possible. |
@isaacs of course that was example for worst case scenario, as @zloirock said that in this case ads will be moved to browser console in case if npm will suppress install hook output. But in general I like idea of this feature for cases such as node-gyp that was mentioned above. As another option, npm can allow to do alias for package names on local machine. Let’s say, I don’t want to see any adds anywhere, then I can map core-js to core-js-noads in my .npmrc and it will just transparently substitute it on my machine for all projects. Shouldn’t break more things that aliasing package in npm and shouldn’t harm any feelings. |
It would appear to me the same rules should apply to non-company consortiums and related entities. And if that's the case there have been several contributors to What's needed here is a hardline stance against advertising of any kind. And if we can live without Left Pad we can live without CoreJS in its current form. Let's put politics aside and end the controversy. In this case the squeaky wheel should not get the grease. |
@isaacs I agree, you need to provide another way for this to be handled. There are definitely ways to appease this crowd. But your soft approach to what is currently happening is a bit ridiculous to me (granted, I can understand why you're trying to walk on eggshells here because of how loud certain parts of this community can be). But still, this should not be okay as it currently stands, in @JHabdas 's post its clear to see just a tip of what could happen here - and that's just one module. Just because only a handful module owners have had the gall to implement something like this, where others have refrained (I would like to think mostly because doing such a thing would never enter the mind of a reasonable person who values the platform that this massive community has already given them, or just finds it downright cheap and tacky), you have decided to let it slide. But really you should be able to take these instances while also looking at the possible end result here- that other's who have just as little sensitivity might copy them and create an even bigger mess. I mean you even acknowledge it here:
So why do these module owners get a pass? Because they were the first? Because a vocal minority sees them as "brave" and will get angry if you stand up against that narrative? Because you somehow feel obligated to let them continue with their antics until you find a better solution? To not just snuff this whole thing out from the start isn't a good precedent to set. Funding for OS projects is important, but there are definitely better ways to go about it. |
@isaacs I think the decision you've made is prudent for the time being, but while you want to ensure you are taking your time in ensuring you don't make moves that may erode community trust in npm, you also don't want npm to become known as that package manager which has things like this occurring through it to begin with, as that also has a negative impact on how npm is perceived not just by the JS community, but the wider programming community as a whole. That arguably may cause more long term damage than trying to walk a tightrope between doing the right thing, and annoying the vocal minority who will forget about it after they have their tantrum. I hope a decision either way can be made sooner rather than later, as this sort of precedent needs a clear direction on how it's going to be handled. |
@isaacs thanks for understanding what I'm all for creating dedicated spaces for promotion that will actually lead to something. The fact that the author of core-js hasn't found a job yet after 6 months of aggressive advertising is highly indicative of the efficiency of the current technique. The precedent that all of this sets is worrying, I hope you will find a way to handle this elegantly but firmly. |
@lostpebble I understand your point, but it's important to keep in mind that I can't just dismiss a vocal minority for being a minority. It's tempting to imagine that the "silent majority" on any topic is on your side, but that's oversimplifying the situation. Having reached out to and discussed this with people who spend their time thinking about this professionally, as well as a broad cross-section of people in different sectors of our community, the only conclusion I've come to is "it depends". Everyone's position is nuanced, and there isn't a lot you can say that applies to more than a "vocal minority", and everyone thinks their point of view is obviously true. In fact, the "npm should have no ads ever for any reason" group is a vocal minority whose views you are very eloquently articulating.
Because it's not that bad yet, and yes, they were first. They don't get "a pass". What they do get is that the policy isn't going to abruptly slam shut in their face without a conversation and an alternative that meets their valid needs, at least until and unless it does become a more serious problem.
20 years in open source, 10 of it in npm, buddy I barely even notice any more who's angry at me and who isn't. We're gonna try to figure out the right thing to do, and then do it, and if people get mad or people get happy, that's a relevant data point of course, but it's not the sole deciding factor. |
This comment has been minimized.
This comment has been minimized.
I, personally, do not like this spam in my console, and especially not in the browser console. It's annoying. I hope a more viable alternative is determined. I wouldn't mind seeing it in my console while I'm developing, I guess, but in my CI deployment logs or production environments? It's a big no. But the attitude in this comment is highly alarming. I interpret this as a threat to sabotage the package? #548 (comment) -- not only does this have me looking for alternatives, I doubt it's a good look for a future employer. Devs occupy a position of trust, by threatening to burn it all to the ground.... yikes! |
Precedence set. And this puppy's really taking off: My gut says @isaacs et al. are dragging their feet as they're looking for an Apple Store like revenue stream. What cold be better than being the gatekeeper deciding how can advertise on your product? |
Your gut is wrong. Ratified RFC: npm/rfcs#54 Stuff is happening, and a better option is being added, which is a small step up from "postinstall spam, everyone out for themselves" towards a future where we can explore more interesting funding models. I don't see this as a big revenue op for npm, Inc., really. I could be wrong, and certainly some companies have made decent revenue by acting as a funding broker. (That's kind of the LF's whole deal, after all.) But I really think the benefit for us is more strategic than financial. If OSS JS is being funded, then people are going to treat it with more care and diligence, and more and better OSS JS will be created. That serves to make npm a better and stickier platform, so any monetization strategies we do pursue will be more effective. An "apple store like revenue stream" would be hard to do with OSS code which can be downloaded and then used or re-distributed for free. I have gamed out what it might look like to try to do something like that, and without a massive shift in license choices and policies, it's hard to make the business case for it. I have other ideas for how to monetize npm, by focusing on our position as a value-delivery mechanism, but none of that works if the OSS ecosystem gets hollowed out or toxic. It's very much in npm's interest to keep the ecosystem healthy. |
Thanks for the info. Wasn't aware of the Oct RFC. Please add a Bitcoin funding option. |
Huh! A btc (or ethereum or litecoin or ...) address might be an interesting idea. Care to write up an RFC for it, or if that's too much trouble, post a RRFC issue on npm/rfcs? (RRFC = "request for request for comments") |
@isaacs given you've just requested for a request for request for comments, is your comment an RRRFC? 🤔 |
I wouldn't bother much with altcoins unless you're looking at BCH. Just a single BTC address should be enough for individuals to display next to the modules we choose to host on NPM. |
I'm more leaning towards switching over to Deno, the hole npm package thing have become a pile of bloated stuff, ppl put all kind of garbage in there that isn't even related to npm or node itself in it. it should just be possible to import from url like you do in Deno and the web... |
@zerkms That's R3FC and R4FC, following the tradition of R7RS, the Revised Revised Revised Revised Revised Revised Revised Report on the Algorithmic Language Scheme. Or maybe (RF)3C and (RF)4C would be more appropriate here. |
You know you don't have to use the garbage that is published right? There's a lot of garbage in Walmart, but that doesn't stop you from going in and getting just what you need. |
For the life of me I can't see why people nowadays are being selfish, arrogant and greedy. Free software developers have zero obligation to their users unless they explicitly say so. If there was a properly functional, unified donation system in npm, then a postinstall message would probably be too much. However since the npm developers seem to have this issue with entitlement, they simply whine about it and ban donation messages in postinstall. This is extremely arrogant, along with classifying donation requests as an "advertisement". Retards. |
I don't got anything against funding a project but the way of doing it in a development process where you have to debug stuff in the terminal isn't the way to do it. If you seek donations use github sponsor instead. or write about it in your readme file/website ofc npm could do something generic/useful themself that helps parse '.github/FUNDING.yml' or something like that |
Looks like OC doesn't support Bitcoin and their terms says this (somewhere between Sections 1 and 25):
OC also takes a "Host Fee" of 5%. Gross. And these are the model NPM is using aside from GitHub, who actively scrapes out Bitcoin URIs from project READMEs. All many of us keyboard warriors need is a clear place for a Bitcoin URI and a functioning hyperlink like the one you see at the bottom of the FSF donation page. Leave these matters up to NPM and GitHub (a company that only allows development of nuclear weaponry with US approval) when all that was needed was a blessed Bitcoin URI in the package manifest and, well... I'd rather see a terminal full of noise as an incentive to move off NPM. How about you? |
Totally agree. Terminal is not a place for advertisement. Also, in the post above, @zloirock treatened to make a troubles for people, his words makes me feel like hostage. I think it's not acceptable for open source society. |
@georgyfarniev I think such behavior is termed as coercion. Anyway I'm appalled by (especially as Russian developer) how @zloirock is treating some of people's legitimate requests to decrease amount of spam in their consoles. Even though such advertisement is justified to some extent it is terrible. @zloirock Я думаю что стоит откликнуться на запросы убрать рекламу в CI сервисах. Пока что всё это не очень красит российских разработчиков. |
replying here to @TomLingham's comment "I appreciate you digging those up, but there are actually a lot of packages that do it" because (along with about a dozen other "issues" on the same topic), the issue was marked as spam by the maintainer of If you looked through those > 100 pages of "packages", you might have noticed that the search results consist entirely of projects that have their dependencies committed to the repository, and of those committed dependencies, only three packages are showing up as doing install spam (based on the query):
tl;dr; install spam is not normal. |
We make money because of open source, not from it. BUT If you want to make money from your source code just add a QR code pointing at your BITCOIN address and use it to spam the terminal as much as you like because the floodgates are open and don't believe @isaacs "RRRRFC" Schlueter for one second -- just slap a BITCOIN QR code in there and pray someone donates. See the Expo codebase for an example QR code in the terminal: |
Why is this message even here? When you are explicitly turning town job offers? 6 months now. Take a hint. This is a very poor strategy. |
Still present as of Feb 2020. |
The author is currently in prison so this isn't going anywhere. |
@isaacs The author of core-js is currently in prison. Can we at least use some common sense and force a release that removed the following?
There's at least an argument to be made for funding requests, but job adverts are insane, especially when the person is incarcerated for the time being. |
@jhpratt I mean, this is just kind of highlighting the key issue, that a message attached to a given version of a package (which lives in perpetuity) is always going to be problematic. A link to a URL can be a thing that updates over time and changing circumstances. Even if someone isn't incarcerated, what if they got a job already? Or died? Or switched careers entirely? Or for any of a million other reasons aren't looking for a good job any more? npm v7 will not display the output of scripts at install time unless they exit in error, and the package is not optional. In other words, you'll only see messages like this if they're informing you about something relevant. I think a case could be made to remove the install script output in an npm v6 release, now that What we probably won't do is forcibly push a version of core-js that removes the postinstall script. That feels to me like getting too far into the realm of taking over authors' ability to publish packages. Eventually @zloirock will not be incarcerated, presumably, and we have to think about the long term, and the precedents set by any administrative actions we take. If core-js was malicious or inappropriate, we'd take it down, but this doesn't rise to that level of problem, in my judgement. |
cruel fait indeed.... |
Check this out: npm bans terminal ads. Announced several hours ago.
In response to community backlash against another NPM module attempting to run ads during install/postinstall, NPM is banning ads in the terminal for all users.
Update: Looks like the core-js project made the news! It was explicitly linked in the article, towards the bottom.
Update 2: You made it to reddit! Take a look.
The text was updated successfully, but these errors were encountered: