I have to admit that I don't understand half of this blog post, feels like I'm missing some context, but I do like that the "left pad guy" does a post mortem.
That said, this seems like a weird argument to me:
> but I still don't understand why NPM didn't take the time to find out if any of my modules were widely used and consider ways to handle the unpublishing without breaking anything
Sure, NPM's unpublish mechanism was a misdesign, but is he saying that he expected people at the company to manually go through this every time someone did an unpublish? That doesn't seem too reasonable IMO, NPM the company isn't curating NPM the registry. They host it as a public service.
I can't fault the author all too much here though, if he hadn't triggered "the left-pad incident" then someone else would've not too long after. NPM fixed the problem, by means of a better unpublish policy [0] and that's that.
> On March 18, 2016, Isaac Z. Schlueter, the chief executive officer of npm, Inc., wrote to both Kik Interactive and Koçulu, stating that the ownership of the kik package would be manually transferred to Kik Interactive.
> After Koçulu expressed his disappointment with npm, Inc.'s decision and stated that he no longer wished to be part of the platform, Schlueter provided him with a command to delete all 273 modules that he had registered.[9] Koçulu executed the command on March 22, 2016, removing every package he had previously released
The author simply ran the script that NPM themselves told him to, and later NPM blamed the author for their own failings.
As someone who avoids javascript and its attendant ecosystem like its the Visual Basic plague of the 21st Century, the most interesting aspect of this whole story is the fact that Koçulu disconnected from the tech scene for some time, did some amazing hiking and camping and trail discovery, and now .. 8 years later .. still feels compelled to explain himself.
Technology is a fickle muse. We nerds obsess over her and degrade ourselves in her service, but she always calls us back into the light.
As someone who was around for the Morris worm and spent weeks negating its impact, I feel that there is a fundamental issue impacting our ability to make world-changing technology with the current tools. The less we strive to understand the organizational (ethical) failings of technology, the less technology can be used to effect productive change in the realms it is being applied.
That said, I'm about a month (and a few hundred failed compiles) away from taking my own sabbatical, and I can't help but try to reason what things would be like for me, upon my return after some years, in the technological space I've carved out for my own needs, at much different scales and contexts.
Perhaps it should become somewhat standard for us technologists to take sabbaticals, more often, and more seriously, in order to give us the context we need to understand the ethical dilemma that impinges upon our technological prowess.
Koçulu, thank you for your thoughts. I may never be effected by the javascript world, but the lessons it provides from within the temple nevertheless reverberate among the outer chambers ..
> Most of my open source work followed Unix philosophy, so the packages did one thing at a time.
Nobody has suggested that libc -- to take the most obvious example -- is against the Unix philosophy. Debates occur around whether whether commands / daemons do too much (recent poster child being systemd) or aren't composable.
If anything, the left-pad debacle has shown that NPM package granularity has gone way too small, at a point where package overhead was outweighing the package simplicity benefits.
> Nobody has suggested that libc -- to take the most obvious example -- is against the Unix philosophy.
Plenty of people have suggested that. I'll suggest it for you now if you like. The modern form of libc is very much against the unix philosophy; traditional Unix had a much simpler libc where many functions were just syscalls; some parts of today's libc were hived off into separate libraries like libm, and other parts like NSS and convoluted DNS resolution frameworks just didn't exist at all.
The "unix philosophy" is a useless philosophy - perhaps worse than useless even - because "one thing" is not well defined, so in practice it adds nothing and just leads to arguments.
You could say that Eclipse does "one thing" - being an IDE platform - but I don't think anyone thinks that's what the Unix devs meant. Similarly I don't think they meant for people to write libraries that contain one 11-line function.
The actual advice should be something like "programs/libraries shouldn't try to do too much or too little". How do you know how much is too much or too little? Like so many programming guidelines the answer is you need taste and experience.
The Unix philosophy tells you how to get a powerful interactive programming environment on a 16-bit minicomputer where the maximum text segment size was 64KiB. The libc I'm using on this cellphone is 1MiB, 16× bigger. So at least 90% of libc is against the Unix philosophy.
I don't see how anyone could read the Lions book or APUE, on one hand, and the pthreads manual or the ANSI C specification of setlocale(), on the other, and come to the conclusion that they represent the same philosophy. It's like thinking Ayn Rand is an exponent of the same philosophy as Epicurus; it betrays a staggering lack of sincere engagement with either one.
I remember the incident and what stuck me most is how, for me, this was a clear example of a community (Javascript) that depended too much on dependencies (pun somewhat intended)
I don't know why so many people put so much blame on you. You unpublished a package with 11 lines of code [0]. I don't think you fully understood the frustration it would cause. And you mentioned that in the post.
> NPM didn't show usage stats, and there was almost no activity on Github. As a user, it was impossible to know the impact of unpublishing packages
The root cause imo isn't akoculu unpublishing the package. In my opinion that lies more in the over-reliance on dependencies, the npm policies and maybe also build systems not caching/vendoring code.
Azer Koçulu has never been a scourge to the NPM ecosystem. Nobody forced anyone to use left-pad. The reason it got included in so many projects is due to messy transitive dependencies.
Jon Schlinkert on the other hand is going out of his way to produce these micro libraries and then include them in his widely used legitimate projects (handlebars-helpers) with zero willingness to simply integrate them into the projects that actually use them. Here is the deal: Do you want to be trolled? Then use handlebars-helpers, if not, then stop using the damn library.
On top of that, he only ran the script that NPM themselves provided him. Yes, the micro-package situation was absurd, but Azer Koçulu did nothing wrong. NPM did by forcibly taking his package, and then by providing him with scripts that were clearly unsafe to run. That Azer Koçulu got any blame for this is ridiculous.
Jon Schlinkert is a typical marketing A-hole. He should be banned from NPM and Github IMHO.
I think this is the biggest irony of it: the kik package, which kik where so desperate to have, is basically sweet Fanny Adams.
Also, Kik turn out to be negligent and pretty scummy. There was some controversy with them involving crypto, but the main thing I remember about them is that Kik is rife in terms of trading pornography, including child pornography, as discussed on this Darknet Diaries episode: https://darknetdiaries.com/episode/93/.
So, from that point of view, I quite enjoy that Azer Koçulu told them to fuck off.
left-pad even being a package is pretty funny, no? How many bytes got pumped across CDNs, proxies, build pipelines, etc. just to write a tiny utility function? I'm all for taking advantage of existing solutions, but I can't wrap my head around needing to pad a string and thinking "oh, I bet there's a package for that"
I remember part of the discourse being that this was a much needed wake up call to web-devs for their relentless reliance on micro packages like left-pad. Part of it was the culture of publishing packages for the sake of popularity and github stars. Part of it were also devs insisting that implementing anything that could otherwise be installed through NPM was "reinventing the wheel". Today I work with a lot of devs who still prefer using micro packages, regardless of their simplicity, because to them it means "less maintenance". Go figure.
Really, what's the qualitative difference between reaching for a utility function that someone else already wrote within your project and reaching for a package that someone else already published within your ecosystem? They're obviously not the same thing but are they so far apart that you can't wrap your head around it wanting to treat them the same, given sufficiently advanced tooling?
The biggest reason for this is reuse between libraries - if you use 10 libraries, you don't want each of them to add its own leftpad. This is especially a problem if this happens in client code and you then send duplicate code to the browser.
> On the NPM side, I observed general condescending attitude towards developers, which led them make series of unreasonable decisions and ultimately blame me for all the cost.
NPM has not really learned much in the time since this event either.
It was good that this happened. Name squatting is a real problem and when in doubt, err on the side of least surprise. Not having usage statistics was a real problem. Being able to just unpublish was a real problem. Infrastructure relying on trivial 10-liners by opinionated individuals was (and still is) a real problem. Nobody in this situation is truly at fault, because nobody owes anyone anything, yet everyone can learn something from it.
Maintainer of a few top-10 npm packages here. This makes complete sense.
Somewhere along the way NPM stopped being cooperative with the community. It cemented itself with the Microsoft acquisition, but was obvious quite a bit before that.
There were so many cracks with how npm functioned, they weren't cooperating well with the community / mainline Node team, their push to commercial viability was really off-putting and forced, and many of the team members had a somewhat rough reputation.
Indeed I visited the offices in Oakland (if I recall correctly), and had an... interesting set of interactions there, not particularly positive, that I'll keep to myself.
The unpublish hole was well known at the time. Everyone blamed left-pad for breaking the internet, as it were, but nobody seemed to come down on npm for the sheer mismanagement of it all.
If memory serves they forcefully reinstated the package against the maintainer's wishes, which is a divorcement from the people they claimed to serve at best, and legally dubious at worst. Shortly after this they stopped caring much at all about abuse on their platform at all (core.js advertisement spam, anyone?) and haven't really worked with the community on standards, compatibility, etc. after that.
The npm@5 release was a disaster. The introduction of package lock files couldn't have gone worse, and as I remember it it was a push to get it out alongside the next Node.js major release (I got the feeling the Node team didn't wait for npm to be ready, which I think is a good thing given npm is a for-profit, or at least acts like one).
The community outreach during that time of what seemed like endless major, catastrophic bugs and the shaming of the community for putting pressure on them, the pious attitude, was only further proof that npm was no longer an agent of FOSS. I can't remember if left-pad came before or after that but in my head it was all one long drawn out declination of the ecosystem.
The packages on npm are a meme now; small packages that do trivial tasks, and everyone likes to make fun of it. Maybe it wasn't the best thing, in hindsight. But context is crucial; npm was the first incredibly accessible package manager for an emergent popular technology, almost entirely community managed, with a good system for querying and tight integration with Github's "social coding" spirit.
It existed very early in the Node lifetime, back before even ES5 was available (we still used `var` and `prototype`!), before JavaScript best practices really existed. Before Node.js was given to the community by Joyent. Before even the Io.js fork and the exit from the long stagnation that was Node 0.10/0.12.
Nobody knew the best way to do things.
I can completely understand the author. From a security perspective I'm really thankful left-pad happened, even if it wasn't the reasoning of the author; it made people acutely aware of what relying on corporate interests divested from the communities they claim to serve, bring to the table in terms of risk. It started many conversations about supply chain security, redundancy, etc. That's a hard thing to do, and it's made the industry a bit better in the long run.
I'm going to preface this with "I'm not sure if the culture is still there, nor do I develop JavaScript" ... so I'm writing about something I remember reading.
Sometimes people will include it as a dependency as a joke in their useful library. Other times the people who write these put it in useful libraries that they contribute to so that use of the useful boosts their numbers. I'm forgetting where it is now, but it was one of the big foundational libraries in React that used one of those and there was resistance to replacing (I believe) an include and use of is-even because they were a very strict adherent to the "never write code you can include" which meant that everything using it included it.
To me it is very strange how many companies do not internally mirror every single dependency of their builds. You should be able to do a clean build fully offline (and not count on luck with the download caches).
In decreasing order of importance: culture, a good standard library, and tooling that pushes you to be deliberate about your dependencies rather than dumping 300 stupid packages inside every project.
Maven is incredibly well designed (and ironically gets nothing but hate for it), it's probably the hidden reason Java is so successful.
Why does Maven exist, without the commercial compromises of NPM? Probably because Java has the well-funded, well-supported, but non-profit and community-oriented Apache foundation, which is something extremely rare and precious (and probably at least partly a lucky result of Java's complicated legal history).
(JS has plenty of great utility libraries. The problem is that its package management is excessively centralised and not managed terribly well)
How come this is related to JS only? Like, if I own a python/rust/go/whatever public package named XYZ and later a company named XYZ forces me to release the package because of trademark issues, and I cannot do but obey, all my packages may run the same luck, so anybody relying on them would be screwed.
I don’t see how the size of the package matters here.
I never got why people were so mad at the guy behind left-pad. The entire incident showcases the sheer lunacy behind common web frameworks, and the power and control they sacrificed for the ease of use of external dependencies. If your day is ruined because some random guy you've never heard of on the other side of the world got an angry letter from lawyers, maybe take a look at the house of cards your product is based on rather than lay down blame.
left-pad will happen again. Maybe not on NPM, but on crates.io/pypi/Google's go proxy. All it takes is for a developer to join the ICC and piss of Trump and suddenly the code is impossible to find on any of the standard repositories. Even Go will have issues because despite the Github references, all the standard go traffic still goes through Google. Or even worse, someone fights back against a recent invasion and uploads a virus that wipes the drive of whatever locale they're targeting.
> Left-pad was like a "death" and "re-birth" moment for me. The part of me passionate about open-source was dead, and something new took over. Now, I'm passionate about business, marketing, running companies / teams
When was the last time you were threatened (“we’ll will bang on your door and take down your accounts”) by a company like Kik and you defended the principles and values you believed until the end?
I’m quite familiar with both western and eastern traditions, don’t know any better source than Ghazali’s “the alchemy of happiness” about how people make decisions.
It’s kind of ironic to see people being triggered by just the mention of it though — just reflects what your heart tends to reject impulsively. I wish you curiosity.
P.S Here’s the full quote, it entertainingly describes the ignorance here:
“first, they didn't look at the dates of the emails. They don't understand the timeline.
second, they can't relate to standing your ground in a high pressure situation involving threats.
and third, they haven't read Al-Ghazali yet, don't quite understand how (free) people make decisions”
I don't know that I fully buy this either, at least not the anger part.
I can look back on all this with wry amusement nowadays but I remember it being pretty frustrating at the time.
It sort of felt like, well, either you knew what the impact of unpublishing all your packages would be and you did it anyway, which makes you kind of antisocial, or you didn't know what the impact would be but did it anyway, which makes you kind of a hothead. And in this latest piece Azer has admitted that he didn't understand what the impact would be so... y'know... I do wonder if anger was at least a small factor.
Regardless, it's pretty clear that npm bear a lot of the responsibility for what happened. It's also something that happened a very long time ago and, as I've already implied, is just a funny story nowadays, not something I can manage any ire towards Azer over.
>(definitely the most pompous and self-important part of this post)
What compels you to say this? Would you be more satisfied if he'd suggested the reader acquaint themselves with Thomas Aquinas or Augustine of Hippo? Are you familiar with al-Ghazali, the scholar, or is he new to you?
You have, rather literally, proven the philosophers point - while remaining, it seems, ignorant of it.
Or perhaps, you mean to imply that /u/akoculu was doing a good deed not because he cared, but to show off?
The irony is, al-Ghazali asked his readers to question their pomp and self-importance, and to do good deeds because they truly cared, not because it would result in social acknowledgement by the mass collective, whose motives should always be questioned, effectively.
Perhaps, then, your position is more of a reflection of your own condition? One would hope your disdain is borne on an actual understanding of al-Ghazali's position, vis a vis self-doubt ... or rather, one would hope your current position is based on an ignorance of his works, actually.
One should never feel so compelled to deny the enlightenment of others, especially if by doing so, you resort to personally-motivated obscurantism in response.
"Please don't pick the most provocative thing in an article or post to complain about in the thread. Find something interesting to respond to instead."
skrebbel|8 months ago
That said, this seems like a weird argument to me:
> but I still don't understand why NPM didn't take the time to find out if any of my modules were widely used and consider ways to handle the unpublishing without breaking anything
Sure, NPM's unpublish mechanism was a misdesign, but is he saying that he expected people at the company to manually go through this every time someone did an unpublish? That doesn't seem too reasonable IMO, NPM the company isn't curating NPM the registry. They host it as a public service.
I can't fault the author all too much here though, if he hadn't triggered "the left-pad incident" then someone else would've not too long after. NPM fixed the problem, by means of a better unpublish policy [0] and that's that.
[0] https://docs.npmjs.com/policies/unpublish#packages-published...
randunel|8 months ago
The author simply ran the script that NPM themselves told him to, and later NPM blamed the author for their own failings.
nicou|8 months ago
DanielHB|8 months ago
They do in fact curate the registry, mainly for reporting vulnerabilities to consumers and to remove malicious packages.
JJMcJ|8 months ago
After left-pad, I understood why.
unknown|8 months ago
[deleted]
aa-jv|8 months ago
Technology is a fickle muse. We nerds obsess over her and degrade ourselves in her service, but she always calls us back into the light.
As someone who was around for the Morris worm and spent weeks negating its impact, I feel that there is a fundamental issue impacting our ability to make world-changing technology with the current tools. The less we strive to understand the organizational (ethical) failings of technology, the less technology can be used to effect productive change in the realms it is being applied.
That said, I'm about a month (and a few hundred failed compiles) away from taking my own sabbatical, and I can't help but try to reason what things would be like for me, upon my return after some years, in the technological space I've carved out for my own needs, at much different scales and contexts.
Perhaps it should become somewhat standard for us technologists to take sabbaticals, more often, and more seriously, in order to give us the context we need to understand the ethical dilemma that impinges upon our technological prowess.
Koçulu, thank you for your thoughts. I may never be effected by the javascript world, but the lessons it provides from within the temple nevertheless reverberate among the outer chambers ..
shellac|8 months ago
> Most of my open source work followed Unix philosophy, so the packages did one thing at a time.
Nobody has suggested that libc -- to take the most obvious example -- is against the Unix philosophy. Debates occur around whether whether commands / daemons do too much (recent poster child being systemd) or aren't composable.
0xAFFFF|8 months ago
lmm|8 months ago
Plenty of people have suggested that. I'll suggest it for you now if you like. The modern form of libc is very much against the unix philosophy; traditional Unix had a much simpler libc where many functions were just syscalls; some parts of today's libc were hived off into separate libraries like libm, and other parts like NSS and convoluted DNS resolution frameworks just didn't exist at all.
cjs_ac|8 months ago
IshKebab|8 months ago
You could say that Eclipse does "one thing" - being an IDE platform - but I don't think anyone thinks that's what the Unix devs meant. Similarly I don't think they meant for people to write libraries that contain one 11-line function.
The actual advice should be something like "programs/libraries shouldn't try to do too much or too little". How do you know how much is too much or too little? Like so many programming guidelines the answer is you need taste and experience.
kragen|8 months ago
I don't see how anyone could read the Lions book or APUE, on one hand, and the pthreads manual or the ANSI C specification of setlocale(), on the other, and come to the conclusion that they represent the same philosophy. It's like thinking Ayn Rand is an exponent of the same philosophy as Epicurus; it betrays a staggering lack of sincere engagement with either one.
unknown|8 months ago
[deleted]
andruby|8 months ago
I remember the incident and what stuck me most is how, for me, this was a clear example of a community (Javascript) that depended too much on dependencies (pun somewhat intended)
I don't know why so many people put so much blame on you. You unpublished a package with 11 lines of code [0]. I don't think you fully understood the frustration it would cause. And you mentioned that in the post.
> NPM didn't show usage stats, and there was almost no activity on Github. As a user, it was impossible to know the impact of unpublishing packages
The root cause imo isn't akoculu unpublishing the package. In my opinion that lies more in the over-reliance on dependencies, the npm policies and maybe also build systems not caching/vendoring code.
[0] https://en.wikipedia.org/wiki/Npm_left-pad_incident#Backgrou...
imtringued|8 months ago
Jon Schlinkert on the other hand is going out of his way to produce these micro libraries and then include them in his widely used legitimate projects (handlebars-helpers) with zero willingness to simply integrate them into the projects that actually use them. Here is the deal: Do you want to be trolled? Then use handlebars-helpers, if not, then stop using the damn library.
dkersten|8 months ago
Jon Schlinkert is a typical marketing A-hole. He should be banned from NPM and Github IMHO.
pstadler|8 months ago
[0] https://www.npmjs.com/package/kik?activeTab=versions
bartread|8 months ago
Also, Kik turn out to be negligent and pretty scummy. There was some controversy with them involving crypto, but the main thing I remember about them is that Kik is rife in terms of trading pornography, including child pornography, as discussed on this Darknet Diaries episode: https://darknetdiaries.com/episode/93/.
So, from that point of view, I quite enjoy that Azer Koçulu told them to fuck off.
manuhabitela|8 months ago
arturocamembert|8 months ago
ale|8 months ago
arcastroe|8 months ago
[1] https://en.wikipedia.org/wiki/Npm_left-pad_incident
ben0x539|8 months ago
croes|8 months ago
How many prompts can already be solved with a simple web query?
C&P but with extra steps
codegladiator|8 months ago
panstromek|8 months ago
wiseowise|8 months ago
lloydatkinson|8 months ago
NPM has not really learned much in the time since this event either.
incrudible|8 months ago
junon|8 months ago
Somewhere along the way NPM stopped being cooperative with the community. It cemented itself with the Microsoft acquisition, but was obvious quite a bit before that.
There were so many cracks with how npm functioned, they weren't cooperating well with the community / mainline Node team, their push to commercial viability was really off-putting and forced, and many of the team members had a somewhat rough reputation.
Indeed I visited the offices in Oakland (if I recall correctly), and had an... interesting set of interactions there, not particularly positive, that I'll keep to myself.
The unpublish hole was well known at the time. Everyone blamed left-pad for breaking the internet, as it were, but nobody seemed to come down on npm for the sheer mismanagement of it all.
If memory serves they forcefully reinstated the package against the maintainer's wishes, which is a divorcement from the people they claimed to serve at best, and legally dubious at worst. Shortly after this they stopped caring much at all about abuse on their platform at all (core.js advertisement spam, anyone?) and haven't really worked with the community on standards, compatibility, etc. after that.
The npm@5 release was a disaster. The introduction of package lock files couldn't have gone worse, and as I remember it it was a push to get it out alongside the next Node.js major release (I got the feeling the Node team didn't wait for npm to be ready, which I think is a good thing given npm is a for-profit, or at least acts like one).
The community outreach during that time of what seemed like endless major, catastrophic bugs and the shaming of the community for putting pressure on them, the pious attitude, was only further proof that npm was no longer an agent of FOSS. I can't remember if left-pad came before or after that but in my head it was all one long drawn out declination of the ecosystem.
The packages on npm are a meme now; small packages that do trivial tasks, and everyone likes to make fun of it. Maybe it wasn't the best thing, in hindsight. But context is crucial; npm was the first incredibly accessible package manager for an emergent popular technology, almost entirely community managed, with a good system for querying and tight integration with Github's "social coding" spirit.
It existed very early in the Node lifetime, back before even ES5 was available (we still used `var` and `prototype`!), before JavaScript best practices really existed. Before Node.js was given to the community by Joyent. Before even the Io.js fork and the exit from the long stagnation that was Node 0.10/0.12.
Nobody knew the best way to do things.
I can completely understand the author. From a security perspective I'm really thankful left-pad happened, even if it wasn't the reasoning of the author; it made people acutely aware of what relying on corporate interests divested from the communities they claim to serve, bring to the table in terms of risk. It started many conversations about supply chain security, redundancy, etc. That's a hard thing to do, and it's made the industry a bit better in the long run.
Good followup, neat to read this after so long.
dontlaugh|8 months ago
Npm (and JS in general) is a victim of fashion, primarily.
Sankozi|8 months ago
For me it was surprising that so many projects used this naive implementation. Nonnaive implementation is faster and much smaller.
shagie|8 months ago
People are after the "number of downloads" metric on npm for various reasons. Left-pad has 1.4 million weekly downloads https://www.npmjs.com/package/left-pad Is-even has 160k weekly downloads https://www.npmjs.com/package/is-even
Sometimes people will include it as a dependency as a joke in their useful library. Other times the people who write these put it in useful libraries that they contribute to so that use of the useful boosts their numbers. I'm forgetting where it is now, but it was one of the big foundational libraries in React that used one of those and there was resistance to replacing (I believe) an include and use of is-even because they were a very strict adherent to the "never write code you can include" which meant that everything using it included it.
One such story: Why has there been nearly 3 million installs of is-odd - npm in the last 7 days? - https://www.reddit.com/r/programming/comments/886zji/why_has...
efilife|8 months ago
_thisdot|8 months ago
- https://news.ycombinator.com/item?id=11349870
praptak|8 months ago
1718627440|8 months ago
hu3|8 months ago
I vendor dependencies on the projects I work.
Predictable, offline builds. Storage is cheap.
majorbugger|8 months ago
madeofpalk|8 months ago
Lodash has had pad/padStart/padEnd since 2016, 3 months before left-pad incident. https://lodash.info/doc/pad
qsort|8 months ago
lmm|8 months ago
Why does Maven exist, without the commercial compromises of NPM? Probably because Java has the well-funded, well-supported, but non-profit and community-oriented Apache foundation, which is something extremely rare and precious (and probably at least partly a lucky result of Java's complicated legal history).
(JS has plenty of great utility libraries. The problem is that its package management is excessively centralised and not managed terribly well)
unknown|8 months ago
[deleted]
merb|8 months ago
q3k|8 months ago
dagw|8 months ago
lvl155|8 months ago
tkiolp4|8 months ago
I don’t see how the size of the package matters here.
heroku|8 months ago
chromehearts|8 months ago
unknown|8 months ago
[deleted]
unknown|8 months ago
[deleted]
lpln3452|8 months ago
He fulfilled his responsibilities as a author.
unknown|8 months ago
[deleted]
jeroenhd|8 months ago
left-pad will happen again. Maybe not on NPM, but on crates.io/pypi/Google's go proxy. All it takes is for a developer to join the ICC and piss of Trump and suddenly the code is impossible to find on any of the standard repositories. Even Go will have issues because despite the Github references, all the standard go traffic still goes through Google. Or even worse, someone fights back against a recent invasion and uploads a virus that wipes the drive of whatever locale they're targeting.
iLoveOncall|8 months ago
Wow, I couldn't think of a worse rebirth.
tkiolp4|8 months ago
unknown|8 months ago
[deleted]
nindalf|8 months ago
It's because you haven't read al-Ghazali yet.
(definitely the most pompous and self-important part of this post)
akoculu|8 months ago
I’m quite familiar with both western and eastern traditions, don’t know any better source than Ghazali’s “the alchemy of happiness” about how people make decisions.
It’s kind of ironic to see people being triggered by just the mention of it though — just reflects what your heart tends to reject impulsively. I wish you curiosity.
P.S Here’s the full quote, it entertainingly describes the ignorance here:
“first, they didn't look at the dates of the emails. They don't understand the timeline.
second, they can't relate to standing your ground in a high pressure situation involving threats.
and third, they haven't read Al-Ghazali yet, don't quite understand how (free) people make decisions”
bartread|8 months ago
I don't know that I fully buy this either, at least not the anger part.
I can look back on all this with wry amusement nowadays but I remember it being pretty frustrating at the time.
It sort of felt like, well, either you knew what the impact of unpublishing all your packages would be and you did it anyway, which makes you kind of antisocial, or you didn't know what the impact would be but did it anyway, which makes you kind of a hothead. And in this latest piece Azer has admitted that he didn't understand what the impact would be so... y'know... I do wonder if anger was at least a small factor.
Regardless, it's pretty clear that npm bear a lot of the responsibility for what happened. It's also something that happened a very long time ago and, as I've already implied, is just a funny story nowadays, not something I can manage any ire towards Azer over.
toledocavani|8 months ago
aa-jv|8 months ago
What compels you to say this? Would you be more satisfied if he'd suggested the reader acquaint themselves with Thomas Aquinas or Augustine of Hippo? Are you familiar with al-Ghazali, the scholar, or is he new to you?
You have, rather literally, proven the philosophers point - while remaining, it seems, ignorant of it.
Or perhaps, you mean to imply that /u/akoculu was doing a good deed not because he cared, but to show off?
The irony is, al-Ghazali asked his readers to question their pomp and self-importance, and to do good deeds because they truly cared, not because it would result in social acknowledgement by the mass collective, whose motives should always be questioned, effectively.
Perhaps, then, your position is more of a reflection of your own condition? One would hope your disdain is borne on an actual understanding of al-Ghazali's position, vis a vis self-doubt ... or rather, one would hope your current position is based on an ignorance of his works, actually.
One should never feel so compelled to deny the enlightenment of others, especially if by doing so, you resort to personally-motivated obscurantism in response.
dang|8 months ago
"Eschew flamebait. Avoid generic tangents."
"Edit out swipes."
https://news.ycombinator.com/newsguidelines.html
We detached this subthread from https://news.ycombinator.com/item?id=44245579.
aaron695|8 months ago
[deleted]
asdoi|8 months ago
[deleted]
junon|8 months ago
throwaway290|8 months ago
Since then the name is basically squatted?
Whether you use left-pad or not is up to you... but this Kik story is just a bad look for Microsoft all around.
furkansahin|8 months ago