DEV Community

The Sharp Ninja
The Sharp Ninja

Posted on

Why Should Open Source Software Selectively Ignore Copyright?

Sometimes people change their mind. They decide to go in a new direction. There are many people who are applauded when the shift philosophy. It all depends on if the shift is in the direction favored by influencers as to the social outcome.

Developer Marak Squires created the colors.js and faker.js NPM packages, each of which get millions of downloads per week. He clearly owns the code and the names of the packages the code is distributed under.

That ownership did not stop NPM from reverting his packages to older versions. I am not a lawyer, but that seems to me like theft. If NPM wants to fork the projects and give them new names then that would be fine, but as of right now they have hijacked a sovereign person's intellectual property. If they truly have a problem with Marak's published versions then they should disable downloads of the package names without interering with Marak's intellectual property. Right now they are doing much more harm by setting a precedent that copyrighted works can be altered in place without the owner's consent.

Discussion (13)

Collapse
theaccordance profile image
Joe Mainwaring

In all likelihood, npm/github made decisions without reviewing the license of the code, their focus was on mitigating the damage that Marak had inflicted on the ecosystem by his malicious actions.

Also, if you look at previous versions of his code, he declares a license. I didn't review every past version to see when he pulled the license, but one had existed that granted fair use.

Collapse
sharpninja profile image
The Sharp Ninja Author

Fair use doesn't include hijacking the package name, and honestly that's what is valuable, not the code.

Collapse
cicirello profile image
Vincent A. Cicirello

The name "colors.js" by itself isn't copyrightable. It is the obvious name for what it does, as well as for a variety of other things. There are likely countless other files out there named "colors.js" that predate this package just not as highly used. So fair use isn't even an issue here--not with package name anyway. The code contained in colors.js is certainly subject to copyright, but has been licensed under a permissive license, the MIT license, allowing anyone to do with it what they please.

Collapse
theaccordance profile image
Joe Mainwaring

Again as I stated in my first sentence in the comment - there was a strong likelihood focus outside of ownership and control. The move was about damage control to mitigate the damaging effects of malicious actions.

Thread Thread
sharpninja profile image
The Sharp Ninja Author

Did he not warn that failure to begin compensating him or creating your own fork was necessary?

Thread Thread
theaccordance profile image
Joe Mainwaring

Throwing a statement into the void is not how you avoid breaking an ecosystem where 1000s of packages are dependent on your code.

I’ll say it again for a third (and final) time: in all likelihood, the actions taken by GitHub/NPM has nothing to do with licensing and was likely not a consideration. Their moves were about damage control.

Thread Thread
sharpninja profile image
The Sharp Ninja Author • Edited on

Yes, I agree about their motivations. GitHub did nothing wrong. NPM, on the other hand, has taken away Marak's property such that he cannot enjoy it use and value. How valuable is that package name right now? The honest thing for everyone would be for the FSF or another non-profit to buy the package name and publish someone's fork under it.

Thread Thread
technoratii profile image
technoratii • Edited on

NPM didn't take away anything that wasn't theirs to take; there's no obligation on the part of NPM to distribute a particular piece of software under a particular name. NPM owns all the names under the NPM namespace, not the creators of the projects which chose NPM as a distribution mechanic. NPM can ship whatever they want under the names "colors" and "faker".

Collapse
jankapunkt profile image
Jan Küster

Depends on what he agreed when signing up to and publish to NPM. As owner he can theoretically invalidate his license by agreeing to nom terms.

Collapse
sharpninja profile image
The Sharp Ninja Author

License, yes, but not ownership. Two totally different things. He own's the package name. It is his property until either he sells it to someone else or a judge takes it from him under proper legal conditions.

Collapse
cicirello profile image
Vincent A. Cicirello • Edited on

You can't own a name as simple and obvious as "colors". You can't trademark it as it isn't sufficiently distinctive. You can't claim copyright on a single word unless you are the one who coined the term. And "colors" has been in the English language for hundreds of years. Combining with ".js" doesn't change either of these as it is the required extension of the language.

Collapse
jzombie profile image
jzombie

Hey, he could have always hosted somewhere else besides NPM and GitHub if he didn't want to be held quasi-accountable for his actions.

And, it's not like Microsoft demon elves physically went into his house and destroyed the code on his own computers.

So, he didn't actually lose anything here, and neither did the community.

Collapse
cicirello profile image
Vincent A. Cicirello

He licensed them under the MIT license. He owns the copyright, but by licensing them under the MIT license, he explicitly granted permission to anyone to do whatever they want with it.