About open source and the npmgate


Nadia Eghbal wrote about the #npmgate

well … this need a bit more than 140 chars comment

before going into the details, let explain how someone put open source code out there

  • you apply a copyright to the code and so claim “you own it”
  • and then you apply a license to it to allow others to use it
    eg. you publish it under an open source license
  • others, as long as they respect the license, can then do things
    with that code like using it, changing it, etc.

But yesterday, when I spoke to Karl Fogel, who’s been in open source since at least the 1990s (including helping to write Apache Subversion), he said: “Well that makes sense. Azer can’t ‘take down’ open source code. It’s open source.

This was so far from anything else I’d heard that it took me a second to understand what he was saying. And then I realized he was right.

Good idea to ask Karl Fogel, who also wrote a book about open source: Producing Open Source Software, and even if I agree it’s only half of the answer.

Azer Koçulu did not take down a copy of his code to prevent people to use it,
he unpublished a package of this code from a privately owned repository,
have a look at npm Open-Source Terms.

There is a huge difference here.

In the post from Azer: I’ve Just Liberated My Modules, he is perfectly clear about it

This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People.

So, the problem is not so much about Azer taking down anything, it’s more about how private company are interacting with open source code which is not created for them to use as they please.

All Azer repositories are still available on Github, and let-pad is there too.

You can not say that Azer took down anything, and that’s why I’m arguing you are wrong.

The story of npm, Kik, and Azer has been interpreted as a David vs. Goliath, Corporate vs. “Of The People” story. But that story operates under the assumption that the module in question was “Azer’s code”. In reality, the code is technically owned by no one.

That’s not true, Azer has a full ownership of his code, this is called copyright.

In the original repository on Github of left-pad, even without licensing informations, Azer own the copyright by default.

When the code was published trough npm in the package left-pad, a license was applied to it, the “Do What The F*ck You Want To Public License” (WTFPL).

This does not void or remove Azer copyright.

Here the single term of the WTFPL


Does it allow npm or someone else to take ownership of left-pad ?

In fact, the whole purpose to apply an open source license, even as stupid as the WTFPL, is to say “you can do WTF you want with it but you can not tell me later that you own it and prevent me to do WTF I want with it”.

All these is not really related to any open source license in fact,
it is about trademark on a name, eg. “we own this name and you can not use it”.

Even if the Github project kik from Azer is alive and well, kik could also go after him there and submit a DMCA request to take down the repository.

It’s just a bit harder than to threaten to lawyer up with npm, but it would work on the same principle, it already happened with WhatsApp and many others, see the details here.

On February 12, 2014 a company many people know as WhatsApp sent a DMCA takedown notice to GitHub. GitHub complied with WhatsApp’s request - on an issue concerning a trademark, not copyright. Here’s what Boing Boing has to say about it, with extra added emphasis:

This is grossly improper. DMCA takedown notices never apply to alleged trademark violations (it’s called the “Digital Millennium Copyright Act” and not the “Digital Millennium Trademark Act”). Using DMCA notices to pursue trademark infringements isn’t protecting your interests – it’s using barratry-like tactics to scare and bully third parties into participating in illegitimate censorship.

Boing Boing - Whatsapp abused the DMCA to censor related projects from Github

Part of a reason is to blame WhatsApp here. However while GitHub has restored many of the repositories, some of them remain censored to date.

Let’s continue on the most unfair part

But it was Azer’s decision to choose the name of the kik module, right? On the other hand, it wasn’t up to Azer to permanently remove his public code. Only to remove his association with it.

That’s where you are completely and utterly wrong.

Tomorrow I can start a “Kik burger” business or a “kik ass” franchise or publish a game named “silly little kik” on any mobile app store, and kik.com will have nothing they can do about it.


under trademark law, you can’t own exclusive rights to a word that is descriptive of the goods or services being offered under that trademark

When a company apply a trademark on a name, there is a context, they can not own the name for anything and everything, there are even names they can not own at all because “too common” like “soap” or “earth”.

And in fact we have plenty examples of abuse in a different industry: gaming.

see for example

When Azer chose the the name “kik” for his open source project, he was not trying to create confusion with the company kik, eg. he was not trying to make people think the origin of the software was from kik.com, he was not trying to compete with kik.com building a messenger app, etc.

He just picked up a name for a project, you can not blame him for that.

You can not say “it wasn’t up to Azer to permanently remove his public code”.

No, he did not remove access to the public code, it was published first on Github and it’s still there, he just decided to unpublish the package and the npm ToS, open source terms, etc. gave him the right to do so.

Sure npm do mention about the unpublish command

It is generally considered bad behavior to remove versions of a library that others are depending on!

But this “bad behavior” is on npm private terms, not related to open source or code ownership.

all these let me to your conclusion

And therein lies the cultural tension between open source’s early days, and the “post open source” world we live in today.

Open source is about emphasizing community over self. But today’s open source doesn’t really operate that way — at least not in the long tail of smaller, homegrown projects. Whether this is a symptom of “new developers” who need to be properly socialized, as some would suggest, or truly an evolution of open source culture, is still up for debate. I’ll leave that to you.

Oh hell no.

Open source is not about emphasizing private company interests over individual’s freedom.

The open source community is not the slave of the corporate world, private companies can not at the same time enjoy the benefits of open source and try to rule it to their own interests.

You can’t have your cake and eat it too.

Even if the open source community evolve with time and the “GitHub generation” as we could call them do thing a bit differently, and even do many mistakes

  • trusting Github while they enforce such things as DMCA takedown
  • not bothering to add clear open source license to their projects
  • forking anything like rabbit fornicating on drugs
  • feeling entitled to have any pull requests accepted

The basic principles are still the same: those are people writing software for free and sharing it with the world for everyone to use.

Go after them with such B.S as trademarks and DMCA and this community will turn away to greener pastures, they will not stop doing open source but they will stop doing it on privately held grass.

I don’t know Azer and don’t want to speak for him, but as an open source developer I would have done exactly the same thing.

It’s not the open source developers who have to understand and comply to the private and closed source software companies, it’s the opposite.

Kik was wrong and stupid to threaten Azer and I assume many if not all open source developers will boycott them out of principle.

Npm was wrong to chicken out on a trademark request, it seems impossible to think npm could close down because of that but it’s possible, npm does not own the strength behind open source projects, the open source community does.

Companies need more open source developers than developers need them, thinking they can abuse them and bind them to their corporate non-sense is a fatal mistake.

I mean, let be clear here
Kik sent that kind of message to Azer

I don’t wanna be dick about it, but “kik” is our registered brand and our lawyers gonna be banging on your door, and taking down your accounts.

and people have the nerve to tell Azer he did not have the right to react to that kind of threat ?

oh noooessss, “shut up”, “be a good boy”, keep providing and contributing to the open source community and be a good slave that bend to the will of your overlord the private company.

The only legitimate answer that was possible, was to tell Kik to “fuck off”, and Azer just did that, in a beautiful way I may add, because in doing so he sent a warning to the open source community at large, this warning should be seen as a service not an inconvenience.


i don’t have much to comment on Kik or Azer’s recent actions as I believe your article already states its points clearly enough.

i can’t help expressing my personal remark on NPM being quite a chicken (again) in their un-unpublising the left-pad module.

if things like this keep happening again, either on NPM or even GitHub, I’m afraid the day when GitTorrent-style module sharing rules is neigh.

*Edited: at first I wrote my agreeing with you... but then I realized you and I were pointing at 2 different acts, so I switched to my personal remark.... Still the tl;dr version: I agree with your points :slight_smile:


exactly. it’s like if you’re using away3d in your private project, and then Rob comes and deletes the files from your repository. how does he even have permissions to do that.